From 2593292e3694752ffff1b6f365328b834cae0b14 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Mon, 15 Jun 2026 19:29:43 +0300
Subject: [PATCH 01/23] AMP-31141 : Re-enable and redesign CSRF protection for
 state-changing web flows except rest(next)

---
 .../digijava/kernel/taglib/html/FormTag.java  |  27 ++++
 .../webapp/WEB-INF/applicationContext.xml     |  12 +-
 .../dynLocationManager/dynLocationManager.jsp |   3 +
 .../WEB-INF/jsp/aim/view/luceneIndex.jsp      |   1 +
 .../WEB-INF/jsp/aim/view/scripts/common.js    | 115 ++++++++++++++++++
 .../view/doctabmanager/docTabManager.jsp      |   7 +-
 .../view/labelmanager/labelManager.jsp        |   2 +
 .../WEB-INF/jsp/translate/view/addkey.jsp     |   1 +
 .../jsp/translate/view/globaladdkey.jsp       |   1 +
 .../jsp/translate/view/globaltranslation.jsp  |   1 +
 .../jsp/translate/view/translation.jsp        |   1 +
 .../main/webapp/WEB-INF/jsp/um/view/reset.jsp |   3 +-
 12 files changed, 167 insertions(+), 7 deletions(-)

diff --git a/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java b/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java
index a5003eca476..331794290d6 100644
--- a/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java
+++ b/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java
@@ -22,6 +22,7 @@
 
 package org.digijava.kernel.taglib.html;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.struts.taglib.TagUtils;
 import org.apache.struts.taglib.html.Constants;
 import org.digijava.kernel.request.Site;
@@ -31,6 +32,7 @@
 import org.digijava.kernel.util.SiteCache;
 import org.digijava.kernel.util.SiteConfigUtils;
 import org.digijava.kernel.util.SiteUtils;
+import org.springframework.security.web.csrf.CsrfToken;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -161,6 +163,7 @@ public int doStartTag() throws JspException {
         results.append(this.renderFormStart());
 
         results.append(renderToken());
+        results.append(renderSpringCsrfToken(request));
 
         TagUtils.getInstance().write(pageContext, results.toString());
 
@@ -286,6 +289,30 @@ protected String renderFormStart() throws JspException {
         return results.toString();
     }
 
+    protected String renderSpringCsrfToken(HttpServletRequest request) {
+        if (isSafeMethod()) {
+            return "";
+        }
+
+        CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+        if (csrfToken == null) {
+            return "";
+        }
+
+        return "<input type=\"hidden\" name=\""
+                + StringEscapeUtils.escapeHtml(csrfToken.getParameterName())
+                + "\" value=\""
+                + StringEscapeUtils.escapeHtml(csrfToken.getToken())
+                + "\" />";
+    }
+
+    private boolean isSafeMethod() {
+        return "get".equalsIgnoreCase(method)
+                || "head".equalsIgnoreCase(method)
+                || "options".equalsIgnoreCase(method)
+                || "trace".equalsIgnoreCase(method);
+    }
+
     /**
      * Release any acquired resources.
      */
diff --git a/amp/src/main/webapp/WEB-INF/applicationContext.xml b/amp/src/main/webapp/WEB-INF/applicationContext.xml
index 451b5dc129d..30bc74892be 100644
--- a/amp/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/amp/src/main/webapp/WEB-INF/applicationContext.xml
@@ -18,6 +18,8 @@
 	<http-firewall ref="customHttpFirewall"/>
 
 	<beans:bean id="gisAuthenticationCheckService" class="org.digijava.kernel.util.GisSecurityUtilService"/>
+	<beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository" factory-method="withHttpOnlyFalse"/>
+	<beans:bean id="ampWebCsrfRequestMatcher" class="org.digijava.kernel.security.csrf.AmpWebCsrfRequestMatcher"/>
 
 
 	<http pattern="/TEMPLATE/ampTEMPLATE**" security="none" />
@@ -201,22 +203,22 @@
 
     <http pattern="/um/user/showResetForm.do*" use-expressions="false" entry-point-ref="digestEntryPoint" realm="AMP-Realm" >
         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-		<csrf disabled="true"/>
+		<csrf request-matcher-ref="ampWebCsrfRequestMatcher" token-repository-ref="csrfTokenRepository"/>
 	</http>
 
 	<http pattern="/contentrepository/docFromTemplate.do*" use-expressions="false" entry-point-ref="digestEntryPoint" realm="AMP-Realm" >
 		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-		<csrf disabled="true"/>
+		<csrf request-matcher-ref="ampWebCsrfRequestMatcher" token-repository-ref="csrfTokenRepository"/>
 	</http>
 
 	<http pattern="/contentrepository/publicDocTabManager.do*" use-expressions="false" entry-point-ref="digestEntryPoint" realm="AMP-Realm" >
 		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-		<csrf disabled="true"/>
+		<csrf request-matcher-ref="ampWebCsrfRequestMatcher" token-repository-ref="csrfTokenRepository"/>
 	</http>
 
     <http pattern="/um/userResetPassword.do*" use-expressions="false" entry-point-ref="digestEntryPoint" realm="AMP-Realm" >
         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-		<csrf disabled="true"/>
+		<csrf request-matcher-ref="ampWebCsrfRequestMatcher" token-repository-ref="csrfTokenRepository"/>
 	</http>
 
     <http pattern="/index.do*"  use-expressions="false" entry-point-ref="digestEntryPoint" realm="AMP-Realm" >
@@ -250,7 +252,7 @@
 	<http entry-point-ref="digestEntryPoint" realm="AMP-Realm" use-expressions="false">
 		<!-- do not allow anonymous tokens, they are enabled by default ! -->
 		<anonymous enabled="false" />
-		<csrf disabled="true"/>
+		<csrf request-matcher-ref="ampWebCsrfRequestMatcher" token-repository-ref="csrfTokenRepository"/>
 
 		<!-- digest filter reference, as the authentication filter for the security
 			chain -->
diff --git a/amp/src/main/webapp/WEB-INF/jsp/aim/view/dynLocationManager/dynLocationManager.jsp b/amp/src/main/webapp/WEB-INF/jsp/aim/view/dynLocationManager/dynLocationManager.jsp
index e9cfd4b077a..14e86fa2e66 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/aim/view/dynLocationManager/dynLocationManager.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/aim/view/dynLocationManager/dynLocationManager.jsp
@@ -331,6 +331,7 @@
 </div>
 <div style="display: none;">
 	<form id="addNewLocationForm"  method="post" action="/aim/addNewLocation.do">
+		<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 		<input type="hidden" name="parentCatValId" />
 		<input type="hidden" name="parentLocationId" />
 		<input type="hidden" name="editedId" />
@@ -339,6 +340,7 @@
 </div>
 <div style="display: none;">
 	<form id="dynLocationManagerForm" action="/aim/dynLocationManager.do" method="post">
+		<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 		<input type="hidden" name="treeStructure" />
 		<input type="hidden" name="unorgLocations" />
 		<input type="hidden" name="deleteLocationId" />
@@ -346,6 +348,7 @@
 </div>
 <div style="display: none;">
 	<form id="indicatorLayerForm"  method="post" action="/aim/indicatorLayerManager.do">
+		<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 		<input type="hidden" name="event" />
 	</form>
 </div>
diff --git a/amp/src/main/webapp/WEB-INF/jsp/aim/view/luceneIndex.jsp b/amp/src/main/webapp/WEB-INF/jsp/aim/view/luceneIndex.jsp
index 0809f35a2be..0420bd84264 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/aim/view/luceneIndex.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/aim/view/luceneIndex.jsp
@@ -71,6 +71,7 @@
 				<tr>
 					<td height=16 valign="center" width=571>
 						<form action="/luceneIndex.do" method="post">
+							<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 							Field:<input type="text" name="field" size="30" />
 							String:<input type="text" name="search" size="30" />
 							<input type="text" name="action" value="view"/>
diff --git a/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js b/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
index 006916c4157..faf323bdbeb 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
+++ b/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
@@ -1,6 +1,121 @@
  function unload() {
  }
 
+ (function () {
+	 var CSRF_COOKIE = "XSRF-TOKEN";
+	 var CSRF_HEADER = "X-XSRF-TOKEN";
+	 var CSRF_PARAMETER = "_csrf";
+
+	 function getCookie(name) {
+		 var namePrefix = name + "=";
+		 var cookies = document.cookie ? document.cookie.split(";") : [];
+		 for (var index = 0; index < cookies.length; index++) {
+			 var cookie = cookies[index].replace(/^\s+|\s+$/g, "");
+			 if (cookie.indexOf(namePrefix) === 0) {
+				 return decodeURIComponent(cookie.substring(namePrefix.length));
+			 }
+		 }
+		 return null;
+	 }
+
+	 function getCsrfToken() {
+		 return getCookie(CSRF_COOKIE);
+	 }
+
+	 function isUnsafeMethod(method) {
+		 var normalizedMethod = (method || "GET").toUpperCase();
+		 return normalizedMethod !== "GET" && normalizedMethod !== "HEAD"
+			 && normalizedMethod !== "OPTIONS" && normalizedMethod !== "TRACE";
+	 }
+
+	 function isSameOrigin(url) {
+		 if (!url || (url.charAt(0) === "/" && url.charAt(1) !== "/")) {
+			 return true;
+		 }
+		 if (url.indexOf("http://") !== 0 && url.indexOf("https://") !== 0 && url.indexOf("//") !== 0) {
+			 return true;
+		 }
+
+		 var anchor = document.createElement("a");
+		 anchor.href = url;
+		 return anchor.protocol === window.location.protocol && anchor.host === window.location.host;
+	 }
+
+	 function addCsrfToForm(form) {
+		 var token = getCsrfToken();
+		 if (!token || !form || !isUnsafeMethod(form.method) || !isSameOrigin(form.action)) {
+			 return;
+		 }
+
+		 var tokenInput = form.elements[CSRF_PARAMETER];
+		 if (!tokenInput) {
+			 tokenInput = document.createElement("input");
+			 tokenInput.type = "hidden";
+			 tokenInput.name = CSRF_PARAMETER;
+			 form.appendChild(tokenInput);
+		 }
+		 tokenInput.value = token;
+	 }
+
+	 if (document.addEventListener) {
+		 document.addEventListener("submit", function (event) {
+			 addCsrfToForm(event.target);
+		 }, true);
+	 } else if (document.attachEvent) {
+		 document.attachEvent("onsubmit", function () {
+			 addCsrfToForm(window.event.srcElement);
+		 });
+	 }
+
+	 if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) {
+		 var originalOpen = window.XMLHttpRequest.prototype.open;
+		 var originalSend = window.XMLHttpRequest.prototype.send;
+
+		 window.XMLHttpRequest.prototype.open = function (method, url) {
+			 this.ampCsrfMethod = method;
+			 this.ampCsrfUrl = url;
+			 return originalOpen.apply(this, arguments);
+		 };
+
+		 window.XMLHttpRequest.prototype.send = function () {
+			 var token = getCsrfToken();
+			 if (token && isUnsafeMethod(this.ampCsrfMethod) && isSameOrigin(this.ampCsrfUrl)) {
+				 try {
+					 this.setRequestHeader(CSRF_HEADER, token);
+				 } catch (ignored) {
+				 }
+			 }
+			 return originalSend.apply(this, arguments);
+		 };
+	 }
+
+	 if (window.fetch) {
+		 var originalFetch = window.fetch;
+		 window.fetch = function (input, init) {
+			 var options = init || {};
+			 var method = options.method || (input && input.method) || "GET";
+			 var url = typeof input === "string" ? input : (input && input.url);
+			 var token = getCsrfToken();
+
+			 if (token && isUnsafeMethod(method) && isSameOrigin(url)) {
+				 options = init || {};
+				 if (window.Headers && options.headers instanceof window.Headers) {
+					 options.headers = new window.Headers(options.headers);
+					 options.headers.set(CSRF_HEADER, token);
+				 } else if (Object.prototype.toString.call(options.headers) === "[object Array]") {
+					 options.headers.push([CSRF_HEADER, token]);
+				 } else {
+					 options.headers = options.headers || {};
+					 options.headers[CSRF_HEADER] = token;
+				 }
+				 return originalFetch.call(this, input, options);
+			 }
+
+			 return originalFetch.apply(this, arguments);
+		 };
+	 }
+ }());
+
 
  if (!Array.prototype.indexOf) {
      Array.prototype.indexOf = function (searchElement /*, fromIndex */ ) {
diff --git a/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/doctabmanager/docTabManager.jsp b/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/doctabmanager/docTabManager.jsp
index 19f5307f5d0..4e450e8db0e 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/doctabmanager/docTabManager.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/doctabmanager/docTabManager.jsp
@@ -133,6 +133,11 @@ var trnObj		= {
 	function retrieveFilterData(filterId) {
 		YAHOO.util.Connect.asyncRequest('GET', '/contentrepository/publicDocTabManager.do?time='+ new Date().getTime()+'&action=jsonfilter&filterId='+filterId, new RetrieveFilters(publicListObj) );
 	}
+
+	function deleteFilter(filterId) {
+		document.forms["crDocTabManagerForm"].action	= "/contentrepository/publicDocTabManager.do?action=delete&filterId=" + filterId;
+		document.forms["crDocTabManagerForm"].submit();
+	}
 	
 	YAHOO.util.Event.on(window, "load", afterPageLoad);
 	
@@ -253,7 +258,7 @@ var trnObj		= {
 										${filter.name}
 									</a> 
 									[<a style="cursor:pointer; text-decoration:none; color: blue" 
-									href="/contentrepository/publicDocTabManager.do?action=delete&filterId=${filter.id}"><digi:trn>Delete</digi:trn></a>]
+									href="#" onclick="deleteFilter(${filter.id}); return false;"><digi:trn>Delete</digi:trn></a>]
 								</li>
 							</c:forEach>
 							</ul>
diff --git a/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/labelmanager/labelManager.jsp b/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/labelmanager/labelManager.jsp
index becd717961c..08198990101 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/labelmanager/labelManager.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/labelmanager/labelManager.jsp
@@ -258,6 +258,7 @@
 
 <div id="addEditLabelDiv" style="display: none;">
 	<form id="addEditLabelForm"  method="post" action="/contentrepository/labelManager.do?addOrEdit=true">
+		<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 		<input type="hidden" name="editParentUUID" />
 		<input type="hidden" name="editUUID" />
 		<input type="hidden" name="editLabelType" />
@@ -289,6 +290,7 @@
 
 <div style="display: none;">
 	<form id="LabelManagerForm" action="/contentrepository/labelManager.do?delete=true" method="post">
+		<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 		<input type="hidden" name="deleteLabelUUID" />
 	</form>
 </div>
diff --git a/amp/src/main/webapp/WEB-INF/jsp/translate/view/addkey.jsp b/amp/src/main/webapp/WEB-INF/jsp/translate/view/addkey.jsp
index 03c467263f0..8353d51b076 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/translate/view/addkey.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/translate/view/addkey.jsp
@@ -42,6 +42,7 @@ function addkey(myString)
 
   <body bgcolor="white">
 <form name="form1" method="POST" action="<%=request.getContextPath()%>/translate/complete/trans.do">
+<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 
       <table width="100%" border="0" cellpadding="0" cellspacing="0" class="headerNav">
         <tr>
diff --git a/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaladdkey.jsp b/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaladdkey.jsp
index 91bafba5dd0..65b7a4045b0 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaladdkey.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaladdkey.jsp
@@ -42,6 +42,7 @@ function addkey(myString)
 
   <body bgcolor="white">
 <form name="form1" method="POST" action="<%=request.getContextPath()%>/translate/global/global.do">
+<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 
       <table width="100%" border="0" cellpadding="0" cellspacing="0" class="headerNav">
         <tr>
diff --git a/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaltranslation.jsp b/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaltranslation.jsp
index 1c02af5b03d..b4ee7834ecc 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaltranslation.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/translate/view/globaltranslation.jsp
@@ -115,6 +115,7 @@ if(request.getAttribute("No_rows")!=null){
 	<tr>
 	<td>
 	<form name="form1" method="POST" action="<%=request.getContextPath()%>/translate/global/global.do">
+	<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 	<input type="hidden" name="src_locale" value="en">
 	  <input type="hidden" name="target_locale" value="en">
 	  <input type="hidden" name="anc" value="">
diff --git a/amp/src/main/webapp/WEB-INF/jsp/translate/view/translation.jsp b/amp/src/main/webapp/WEB-INF/jsp/translate/view/translation.jsp
index 6188855f72c..898935a7edf 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/translate/view/translation.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/translate/view/translation.jsp
@@ -115,6 +115,7 @@ if(request.getAttribute("No_rows")!=null){
 	<tr>
 	<td>
 	<form name="form1" method="POST" action="<%=request.getContextPath()%>/translate/complete/trans.do">
+	<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 	<input type="hidden" name="src_locale" value="en">
 	  <input type="hidden" name="target_locale" value="en">
 	  <input type="hidden" name="anc" value="">
diff --git a/amp/src/main/webapp/WEB-INF/jsp/um/view/reset.jsp b/amp/src/main/webapp/WEB-INF/jsp/um/view/reset.jsp
index f1c9847ba3f..161ef4212cd 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/um/view/reset.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/um/view/reset.jsp
@@ -12,7 +12,8 @@
 <digi:errors/>
       <TABLE width="100%">
 
-      <form action='<%= userResetAction %>' method="post" >
+                  <form action='<%= userResetAction %>' method="post" >
+                        <jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
         
 
 <tr><td colspan="2"><b><font size="5"><digi:trn key="um:resetPassword">Reset Password</digi:trn></font></b></td></tr>

From b604a605728950a59faf6159c391cd9a6f59be5a Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Mon, 15 Jun 2026 19:53:29 +0300
Subject: [PATCH 02/23] AMP-31141 : Failing maven build

---
 amp/pom.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/amp/pom.xml b/amp/pom.xml
index 194e7069210..2d8026b284e 100644
--- a/amp/pom.xml
+++ b/amp/pom.xml
@@ -69,6 +69,14 @@
             <name>amp</name>
             <url>https://artifactory.dgdev.org/artifactory/amp/</url>
         </repository>
+        <repository>
+            <snapshots>
+                <enabled>false</enabled>
+            </snapshots>
+            <id>maven-central</id>
+            <name>Maven Central</name>
+            <url>https://repo.maven.apache.org/maven2/</url>
+        </repository>
     </repositories>
     <pluginRepositories>
         <pluginRepository>
@@ -79,6 +87,14 @@
             <name>amp</name>
             <url>https://artifactory.dgdev.org/artifactory/amp/</url>
         </pluginRepository>
+        <pluginRepository>
+            <snapshots>
+                <enabled>false</enabled>
+            </snapshots>
+            <id>maven-central</id>
+            <name>Maven Central</name>
+            <url>https://repo.maven.apache.org/maven2/</url>
+        </pluginRepository>
     </pluginRepositories>
 
     <profiles>

From afcafc4d3f7ec3acf966684f45ae4831f1e9cd0d Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Mon, 15 Jun 2026 20:17:01 +0300
Subject: [PATCH 03/23] AMP-31141 : Re-enable and redesign CSRF protection for
 state-changing web flows except rest(next)

---
 .../csrf/AmpWebCsrfRequestMatcher.java        | 82 +++++++++++++++++++
 .../webapp/WEB-INF/jsp/common/csrfInput.jsp   | 10 +++
 2 files changed, 92 insertions(+)
 create mode 100644 amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
 create mode 100644 amp/src/main/webapp/WEB-INF/jsp/common/csrfInput.jsp

diff --git a/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java b/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
new file mode 100644
index 00000000000..8e4ba81010d
--- /dev/null
+++ b/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
@@ -0,0 +1,82 @@
+package org.digijava.kernel.security.csrf;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+public class AmpWebCsrfRequestMatcher implements RequestMatcher {
+
+    private static final Set<String> SAFE_METHODS = new HashSet<>(Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));
+
+    private final RequestMatcher readOnlyPostMatcher = new OrRequestMatcher(
+            new AntPathRequestMatcher("/search/search.do", "POST"),
+            new AntPathRequestMatcher("/aim/filterDesktopActivities.do", "POST"),
+            new AntPathRequestMatcher("/aim/searchDesktopActivities.do", "POST"),
+            new AntPathRequestMatcher("/aim/validateReportsFilterPicker.do", "POST"),
+            new AntPathRequestMatcher("/aim/export*.do", "POST"),
+            new AntPathRequestMatcher("/help/*Export.do", "POST"),
+            new AntPathRequestMatcher("/calendar/viewEvents.do", "POST"),
+            new AntPathRequestMatcher("/calendar/viewListEvents.do", "POST"),
+            new AntPathRequestMatcher("/calendar/viewMonthEvents.do", "POST"),
+            new AntPathRequestMatcher("/calendar/viewYearEvents.do", "POST"));
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        if (isPublicDocTabManagerStateChange(request)) {
+            return true;
+        }
+
+        String method = request.getMethod();
+        if (method != null && SAFE_METHODS.contains(method.toUpperCase(Locale.ROOT))) {
+            return false;
+        }
+
+        if (isReadOnlyDocFromTemplatePost(request)) {
+            return false;
+        }
+
+        return !readOnlyPostMatcher.matches(request);
+    }
+
+    private boolean isReadOnlyDocFromTemplatePost(HttpServletRequest request) {
+        if (!"POST".equalsIgnoreCase(request.getMethod())
+                || !"/contentrepository/docFromTemplate.do".equals(getRequestPath(request))) {
+            return false;
+        }
+
+        String action = request.getParameter("actType");
+        return action == null || action.length() == 0
+                || "loadTemplates".equalsIgnoreCase(action)
+                || "getTemplate".equalsIgnoreCase(action);
+    }
+
+    private boolean isPublicDocTabManagerStateChange(HttpServletRequest request) {
+        if (!"/contentrepository/publicDocTabManager.do".equals(getRequestPath(request))) {
+            return false;
+        }
+
+        String action = request.getParameter("action");
+        return "save".equalsIgnoreCase(action)
+                || "savePositions".equalsIgnoreCase(action)
+                || "delete".equalsIgnoreCase(action);
+    }
+
+    private String getRequestPath(HttpServletRequest request) {
+        String path = request.getServletPath();
+        if (path == null || path.length() == 0) {
+            path = request.getRequestURI();
+            String contextPath = request.getContextPath();
+            if (contextPath != null && contextPath.length() > 0 && path.startsWith(contextPath)) {
+                path = path.substring(contextPath.length());
+            }
+        }
+        return path;
+    }
+}
\ No newline at end of file
diff --git a/amp/src/main/webapp/WEB-INF/jsp/common/csrfInput.jsp b/amp/src/main/webapp/WEB-INF/jsp/common/csrfInput.jsp
new file mode 100644
index 00000000000..de713c991c3
--- /dev/null
+++ b/amp/src/main/webapp/WEB-INF/jsp/common/csrfInput.jsp
@@ -0,0 +1,10 @@
+<%@ page import="org.apache.commons.lang.StringEscapeUtils" %>
+<%@ page import="org.springframework.security.web.csrf.CsrfToken" %>
+<%
+CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+if (csrfToken != null) {
+%>
+<input type="hidden" name="<%= StringEscapeUtils.escapeHtml(csrfToken.getParameterName()) %>" value="<%= StringEscapeUtils.escapeHtml(csrfToken.getToken()) %>" />
+<%
+}
+%>
\ No newline at end of file

From c3f64d8cc80947b6fb4c325453cc12f22d045146 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Mon, 15 Jun 2026 21:31:47 +0300
Subject: [PATCH 04/23] AMP-31141 : Re-enable and redesign CSRF protection for
 state-changing web flows except rest(next)

---
 .../components/upload/FileUploadBehavior.java | 43 +++++++++++++++++--
 .../upload/ImageUploadValidationBehavior.java |  2 +-
 .../csrf/AmpWebCsrfRequestMatcher.java        | 25 +++++++++++
 .../digijava/kernel/taglib/html/FormTag.java  | 34 ++++++++++++++-
 .../webapp/WEB-INF/applicationContext.xml     |  2 +-
 .../webapp/WEB-INF/jsp/aim/view/autologin.jsp |  1 +
 .../WEB-INF/jsp/aim/view/scripts/common.js    | 13 ++++++
 .../view/documentManagerJsHelper.jsp          |  4 +-
 8 files changed, 116 insertions(+), 8 deletions(-)

diff --git a/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/FileUploadBehavior.java b/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/FileUploadBehavior.java
index a343c4a9c63..32df5385f24 100644
--- a/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/FileUploadBehavior.java
+++ b/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/FileUploadBehavior.java
@@ -7,6 +7,7 @@
 import org.apache.wicket.markup.head.OnLoadHeaderItem;
 import org.apache.wicket.model.AbstractReadOnlyModel;
 import org.apache.wicket.model.IModel;
+import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
 import org.apache.wicket.request.Url;
 import org.apache.wicket.request.cycle.RequestCycle;
 import org.apache.wicket.request.resource.JavaScriptResourceReference;
@@ -17,7 +18,11 @@
 import org.digijava.kernel.translator.TranslatorWorker;
 import org.digijava.module.aim.helper.GlobalSettingsConstants;
 import org.digijava.module.aim.util.FeaturesUtil;
+import org.springframework.security.web.csrf.CsrfToken;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -71,9 +76,10 @@ public void renderHead(final Component component, IHeaderResponse response) {
         
         String maxFileSizeGS = FeaturesUtil.getGlobalSettingValue(GlobalSettingsConstants.CR_MAX_FILE_SIZE);
         
-        final Map<String, CharSequence> variables = new HashMap<String, CharSequence>();
+        final Map<String, Object> variables = new HashMap<String, Object>();
         variables.put("componentMarkupId", markupId);
-        uploadUrl +="?activityId=" + activityId;
+        uploadUrl = appendQueryParameter(uploadUrl, "activityId", activityId);
+        uploadUrl = appendSpringCsrfToken(uploadUrl);
         variables.put("url", uploadUrl);
         variables.put("paramName", PARAM_NAME);
         variables.put("uploadFailedMsg", TranslatorUtil.getTranslatedText("Upload failed! Please try again."));
@@ -82,8 +88,9 @@ public void renderHead(final Component component, IHeaderResponse response) {
         variables.put("uploadMaxFileSize", Long.toString(Bytes.megabytes(Long.parseLong(maxFileSizeGS)).bytes()));
         variables.put("uploadNoFileLabel", TranslatorWorker.translateText("No file chosen"));
 
-        IModel variablesModel = new AbstractReadOnlyModel() {
-            public Map getObject() {
+        IModel<Map<String, Object>> variablesModel = new AbstractReadOnlyModel<Map<String, Object>>() {
+            @Override
+            public Map<String, Object> getObject() {
                 return variables;
             }
         };
@@ -91,4 +98,32 @@ public Map getObject() {
                 new TextTemplateResourceReference(FileUploadBehavior.class, "FileUploadBehavior.js", variablesModel), String.valueOf(System.currentTimeMillis()), true));
         response.render(OnLoadHeaderItem.forScript("setupFileUpload('#" + markupId + "', '" + uploadUrl + "', '" + PARAM_NAME + "');"));
     }
+
+    static String appendSpringCsrfToken(String url) {
+        RequestCycle requestCycle = RequestCycle.get();
+        if (requestCycle == null || !(requestCycle.getRequest() instanceof ServletWebRequest)) {
+            return url;
+        }
+
+        HttpServletRequest request = ((ServletWebRequest) requestCycle.getRequest()).getContainerRequest();
+        CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+        if (token == null) {
+            return url;
+        }
+
+        return appendQueryParameter(url, token.getParameterName(), token.getToken());
+    }
+
+    private static String appendQueryParameter(String url, String name, String value) {
+        String separator = url.contains("?") ? "&" : "?";
+        return url + separator + urlEncode(name) + "=" + urlEncode(value);
+    }
+
+    private static String urlEncode(String value) {
+        try {
+            return URLEncoder.encode(value, "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            throw new IllegalStateException(e);
+        }
+    }
 }
diff --git a/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/ImageUploadValidationBehavior.java b/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/ImageUploadValidationBehavior.java
index 01e3987f0e5..789a27c1d9c 100644
--- a/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/ImageUploadValidationBehavior.java
+++ b/amp/src/main/java/org/dgfoundation/amp/onepager/components/upload/ImageUploadValidationBehavior.java
@@ -7,7 +7,6 @@
 import org.apache.wicket.markup.head.JavaScriptHeaderItem;
 import org.apache.wicket.markup.head.OnDomReadyHeaderItem;
 import org.apache.wicket.model.IModel;
-import org.apache.wicket.model.Model;
 import org.apache.wicket.request.Url;
 import org.apache.wicket.request.cycle.RequestCycle;
 import org.apache.wicket.request.resource.JavaScriptResourceReference;
@@ -54,6 +53,7 @@ public void renderHead(Component component, IHeaderResponse response) {
 
         String uploadUrl = RequestCycle.get().getUrlRenderer().renderFullUrl(
                 Url.parse(component.urlFor(new FileUploadResourceReference(activityId, fileItemModel), null).toString()));
+        uploadUrl = FileUploadBehavior.appendSpringCsrfToken(uploadUrl);
         String markupId = component.getMarkupId();
 
 //        response.render(JavaScriptHeaderItem.forReference(
diff --git a/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java b/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
index 8e4ba81010d..ddd5bf54c4b 100644
--- a/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
+++ b/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
@@ -32,6 +32,9 @@ public boolean matches(HttpServletRequest request) {
         if (isPublicDocTabManagerStateChange(request)) {
             return true;
         }
+        if (isContentRepositoryDocumentDelete(request)) {
+            return true;
+        }
 
         String method = request.getMethod();
         if (method != null && SAFE_METHODS.contains(method.toUpperCase(Locale.ROOT))) {
@@ -41,10 +44,28 @@ public boolean matches(HttpServletRequest request) {
         if (isReadOnlyDocFromTemplatePost(request)) {
             return false;
         }
+        if (isReadOnlyDocumentManagerPost(request)) {
+            return false;
+        }
 
         return !readOnlyPostMatcher.matches(request);
     }
 
+    private boolean isReadOnlyDocumentManagerPost(HttpServletRequest request) {
+        if (!"POST".equalsIgnoreCase(request.getMethod())
+                || !"/contentrepository/documentManager.do".equals(getRequestPath(request))
+                || isMultipart(request)) {
+            return false;
+        }
+
+        return "true".equalsIgnoreCase(request.getParameter("ajaxDocumentList"));
+    }
+
+    private boolean isMultipart(HttpServletRequest request) {
+        String contentType = request.getContentType();
+        return contentType != null && contentType.toLowerCase(Locale.ROOT).startsWith("multipart/form-data");
+    }
+
     private boolean isReadOnlyDocFromTemplatePost(HttpServletRequest request) {
         if (!"POST".equalsIgnoreCase(request.getMethod())
                 || !"/contentrepository/docFromTemplate.do".equals(getRequestPath(request))) {
@@ -68,6 +89,10 @@ private boolean isPublicDocTabManagerStateChange(HttpServletRequest request) {
                 || "delete".equalsIgnoreCase(action);
     }
 
+    private boolean isContentRepositoryDocumentDelete(HttpServletRequest request) {
+        return "/contentrepository/deleteForDocumentManager.do".equals(getRequestPath(request));
+    }
+
     private String getRequestPath(HttpServletRequest request) {
         String path = request.getServletPath();
         if (path == null || path.length() == 0) {
diff --git a/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java b/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java
index 331794290d6..0037fb08052 100644
--- a/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java
+++ b/amp/src/main/java/org/digijava/kernel/taglib/html/FormTag.java
@@ -34,6 +34,8 @@
 import org.digijava.kernel.util.SiteUtils;
 import org.springframework.security.web.csrf.CsrfToken;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.jsp.JspException;
@@ -246,7 +248,7 @@ protected String renderFormStart() throws JspException {
         results.append(" method=\"");
         results.append(method == null ? "post" : method);
         results.append("\" action=\"");
-        results.append( response.encodeURL(context.toString()) );
+        results.append(response.encodeURL(appendSpringCsrfTokenToMultipartAction(context.toString(), request)));
 
         results.append("\"");
 
@@ -306,6 +308,36 @@ protected String renderSpringCsrfToken(HttpServletRequest request) {
                 + "\" />";
     }
 
+    private String appendSpringCsrfTokenToMultipartAction(String actionUrl, HttpServletRequest request) {
+        if (isSafeMethod() || !isMultipartForm()) {
+            return actionUrl;
+        }
+
+        CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+        if (csrfToken == null || hasQueryParameter(actionUrl, csrfToken.getParameterName())) {
+            return actionUrl;
+        }
+
+        String separator = actionUrl.indexOf('?') >= 0 ? "&" : "?";
+        return actionUrl + separator + urlEncode(csrfToken.getParameterName()) + "=" + urlEncode(csrfToken.getToken());
+    }
+
+    private boolean isMultipartForm() {
+        return enctype != null && "multipart/form-data".equalsIgnoreCase(enctype);
+    }
+
+    private boolean hasQueryParameter(String url, String parameterName) {
+        return url.contains("?" + parameterName + "=") || url.contains("&" + parameterName + "=");
+    }
+
+    private String urlEncode(String value) {
+        try {
+            return URLEncoder.encode(value, "UTF-8");
+        } catch (UnsupportedEncodingException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
     private boolean isSafeMethod() {
         return "get".equalsIgnoreCase(method)
                 || "head".equalsIgnoreCase(method)
diff --git a/amp/src/main/webapp/WEB-INF/applicationContext.xml b/amp/src/main/webapp/WEB-INF/applicationContext.xml
index 30bc74892be..ef47db8396f 100644
--- a/amp/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/amp/src/main/webapp/WEB-INF/applicationContext.xml
@@ -184,7 +184,7 @@
 
     <http pattern="/contentrepository/documentManager.do**" use-expressions="false"  entry-point-ref="digestEntryPoint" realm="AMP-Realm" >
         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-		<csrf disabled="true"/>
+		<csrf request-matcher-ref="ampWebCsrfRequestMatcher" token-repository-ref="csrfTokenRepository"/>
     </http>
 
     <http pattern="/viewTeamReports.do**" use-expressions="false" entry-point-ref="digestEntryPoint" realm="AMP-Realm" >
diff --git a/amp/src/main/webapp/WEB-INF/jsp/aim/view/autologin.jsp b/amp/src/main/webapp/WEB-INF/jsp/aim/view/autologin.jsp
index 12b59038d4f..ee0b67888cd 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/aim/view/autologin.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/aim/view/autologin.jsp
@@ -12,6 +12,7 @@ function delayer(){
 </head>
 <body onLoad="setTimeout('delayer()', 500)">
 <form action="/j_spring_security_check" method="post" name="myAutoForm">
+	<jsp:include page="/WEB-INF/jsp/common/csrfInput.jsp" />
 	<input type="hidden" name="j_username" value="<%=request.getParameter("user")%>"/>
 	<input type="hidden" name="j_password" value="<%=request.getParameter("password")%>" />
 	<input type="hidden" name="j_autoLogin" value="true" />
diff --git a/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js b/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
index faf323bdbeb..8b23ae13bfc 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
+++ b/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
@@ -2,6 +2,11 @@
  }
 
  (function () {
+	 if (window.ampCsrfProtectionInstalled) {
+		 return;
+	 }
+	 window.ampCsrfProtectionInstalled = true;
+
 	 var CSRF_COOKIE = "XSRF-TOKEN";
 	 var CSRF_HEADER = "X-XSRF-TOKEN";
 	 var CSRF_PARAMETER = "_csrf";
@@ -67,6 +72,14 @@
 		 });
 	 }
 
+	 if (window.HTMLFormElement && window.HTMLFormElement.prototype && window.HTMLFormElement.prototype.submit) {
+		 var originalSubmit = window.HTMLFormElement.prototype.submit;
+		 window.HTMLFormElement.prototype.submit = function () {
+			 addCsrfToForm(this);
+			 return originalSubmit.apply(this, arguments);
+		 };
+	 }
+
 	 if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) {
 		 var originalOpen = window.XMLHttpRequest.prototype.open;
 		 var originalSend = window.XMLHttpRequest.prototype.send;
diff --git a/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/documentManagerJsHelper.jsp b/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/documentManagerJsHelper.jsp
index a8e2ce488dd..8a8f4c7d667 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/documentManagerJsHelper.jsp
+++ b/amp/src/main/webapp/WEB-INF/jsp/contentrepository/view/documentManagerJsHelper.jsp
@@ -7,6 +7,8 @@
 <%@ taglib uri="http://digijava.org/features" prefix="feature" %>
 <%@ taglib uri="http://digijava.org/modules" prefix="module" %>
 
+<script language="JavaScript" type="text/javascript" src="<digi:file src="module/aim/scripts/common.js"/>"></script>
+
 <!-- Individual YUI CSS files -->
 <link type="text/css" rel="stylesheet" href="/TEMPLATE/ampTemplate/js_2/yui/datatable/assets/skins/sam/datatable.css">
 <link rel="stylesheet" type="text/css" href="/TEMPLATE/ampTemplate/js_2/yui/tabview/assets/tabview-core.css">
@@ -680,7 +682,7 @@ function deleteRow(uuid,o) {
 		//YAHOO.amp.panels[2].setFooter("<div align='right'><button type='button' onClick='hidePanel(2)'>Close</button></div>");
 		//showPanel(2);
 		//YAHOO.amp.table.dataTable.deleteRow(possibleRow);
-		YAHOO.util.Connect.asyncRequest('GET', '/contentrepository/deleteForDocumentManager.do?uuid='+uuid, getCallbackForDelete(possibleRows,o));
+		YAHOO.util.Connect.asyncRequest('POST', '/contentrepository/deleteForDocumentManager.do?uuid='+uuid, getCallbackForDelete(possibleRows,o));
 
 	}
 }

From 00da6aab2f4a6a1e3fe5d02214475363a3347fda Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 09:07:40 +0300
Subject: [PATCH 05/23] AMP-31141 : Re-enable and redesign CSRF protection for
 state-changing web flows

---
 .../onepager/web/pages/AmpHeaderFooter.java   |   1 +
 .../web/pages/AmpPMHeaderFooter.java          |   1 +
 amp/static/aim/view/scripts/common.js         | 128 ++++++++++++++++++
 3 files changed, 130 insertions(+)

diff --git a/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java b/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java
index 7f901acb917..0a0437fe794 100644
--- a/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java
+++ b/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java
@@ -86,6 +86,7 @@ protected void setHeaders(WebResponse response) {
     public void renderHead(IHeaderResponse response) {
         super.renderHead(response);
         YuiLib.load(response);
+        response.render(JavaScriptHeaderItem.forUrl("/static/aim/view/scripts/common.js"));
         response.render(JavaScriptHeaderItem.forUrl("/ckeditor_4.4.6/ckeditor.js"));
         response.render(JavaScriptHeaderItem.forUrl("/TEMPLATE/ampTemplate/js_2/opentip/opentip-jquery2-4-6.js"));
         response.render(JavaScriptHeaderItem.forReference(new PackageResourceReference(AmpStructuresFormSectionFeature.class, "gisPopup.js")));
diff --git a/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java b/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java
index a13ddacc472..774bb2e0bee 100644
--- a/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java
+++ b/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java
@@ -90,6 +90,7 @@ protected void setHeaders(WebResponse response) {
     @Override
     public void renderHead(IHeaderResponse response) {
         super.renderHead(response);
+        response.render(JavaScriptHeaderItem.forUrl("/static/aim/view/scripts/common.js"));
         response.render(JavaScriptHeaderItem.forUrl("/ckeditor/ckeditor.js"));
         response.render(JavaScriptHeaderItem.forUrl("/TEMPLATE/ampTemplate/js_2/opentip/opentip-jquery2-4-6.js"));
         response.render(JavaScriptHeaderItem.forReference(new PackageResourceReference(AmpStructuresFormSectionFeature.class, "gisPopup.js")));
diff --git a/amp/static/aim/view/scripts/common.js b/amp/static/aim/view/scripts/common.js
index 006916c4157..8b23ae13bfc 100644
--- a/amp/static/aim/view/scripts/common.js
+++ b/amp/static/aim/view/scripts/common.js
@@ -1,6 +1,134 @@
  function unload() {
  }
 
+ (function () {
+	 if (window.ampCsrfProtectionInstalled) {
+		 return;
+	 }
+	 window.ampCsrfProtectionInstalled = true;
+
+	 var CSRF_COOKIE = "XSRF-TOKEN";
+	 var CSRF_HEADER = "X-XSRF-TOKEN";
+	 var CSRF_PARAMETER = "_csrf";
+
+	 function getCookie(name) {
+		 var namePrefix = name + "=";
+		 var cookies = document.cookie ? document.cookie.split(";") : [];
+		 for (var index = 0; index < cookies.length; index++) {
+			 var cookie = cookies[index].replace(/^\s+|\s+$/g, "");
+			 if (cookie.indexOf(namePrefix) === 0) {
+				 return decodeURIComponent(cookie.substring(namePrefix.length));
+			 }
+		 }
+		 return null;
+	 }
+
+	 function getCsrfToken() {
+		 return getCookie(CSRF_COOKIE);
+	 }
+
+	 function isUnsafeMethod(method) {
+		 var normalizedMethod = (method || "GET").toUpperCase();
+		 return normalizedMethod !== "GET" && normalizedMethod !== "HEAD"
+			 && normalizedMethod !== "OPTIONS" && normalizedMethod !== "TRACE";
+	 }
+
+	 function isSameOrigin(url) {
+		 if (!url || (url.charAt(0) === "/" && url.charAt(1) !== "/")) {
+			 return true;
+		 }
+		 if (url.indexOf("http://") !== 0 && url.indexOf("https://") !== 0 && url.indexOf("//") !== 0) {
+			 return true;
+		 }
+
+		 var anchor = document.createElement("a");
+		 anchor.href = url;
+		 return anchor.protocol === window.location.protocol && anchor.host === window.location.host;
+	 }
+
+	 function addCsrfToForm(form) {
+		 var token = getCsrfToken();
+		 if (!token || !form || !isUnsafeMethod(form.method) || !isSameOrigin(form.action)) {
+			 return;
+		 }
+
+		 var tokenInput = form.elements[CSRF_PARAMETER];
+		 if (!tokenInput) {
+			 tokenInput = document.createElement("input");
+			 tokenInput.type = "hidden";
+			 tokenInput.name = CSRF_PARAMETER;
+			 form.appendChild(tokenInput);
+		 }
+		 tokenInput.value = token;
+	 }
+
+	 if (document.addEventListener) {
+		 document.addEventListener("submit", function (event) {
+			 addCsrfToForm(event.target);
+		 }, true);
+	 } else if (document.attachEvent) {
+		 document.attachEvent("onsubmit", function () {
+			 addCsrfToForm(window.event.srcElement);
+		 });
+	 }
+
+	 if (window.HTMLFormElement && window.HTMLFormElement.prototype && window.HTMLFormElement.prototype.submit) {
+		 var originalSubmit = window.HTMLFormElement.prototype.submit;
+		 window.HTMLFormElement.prototype.submit = function () {
+			 addCsrfToForm(this);
+			 return originalSubmit.apply(this, arguments);
+		 };
+	 }
+
+	 if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) {
+		 var originalOpen = window.XMLHttpRequest.prototype.open;
+		 var originalSend = window.XMLHttpRequest.prototype.send;
+
+		 window.XMLHttpRequest.prototype.open = function (method, url) {
+			 this.ampCsrfMethod = method;
+			 this.ampCsrfUrl = url;
+			 return originalOpen.apply(this, arguments);
+		 };
+
+		 window.XMLHttpRequest.prototype.send = function () {
+			 var token = getCsrfToken();
+			 if (token && isUnsafeMethod(this.ampCsrfMethod) && isSameOrigin(this.ampCsrfUrl)) {
+				 try {
+					 this.setRequestHeader(CSRF_HEADER, token);
+				 } catch (ignored) {
+				 }
+			 }
+			 return originalSend.apply(this, arguments);
+		 };
+	 }
+
+	 if (window.fetch) {
+		 var originalFetch = window.fetch;
+		 window.fetch = function (input, init) {
+			 var options = init || {};
+			 var method = options.method || (input && input.method) || "GET";
+			 var url = typeof input === "string" ? input : (input && input.url);
+			 var token = getCsrfToken();
+
+			 if (token && isUnsafeMethod(method) && isSameOrigin(url)) {
+				 options = init || {};
+				 if (window.Headers && options.headers instanceof window.Headers) {
+					 options.headers = new window.Headers(options.headers);
+					 options.headers.set(CSRF_HEADER, token);
+				 } else if (Object.prototype.toString.call(options.headers) === "[object Array]") {
+					 options.headers.push([CSRF_HEADER, token]);
+				 } else {
+					 options.headers = options.headers || {};
+					 options.headers[CSRF_HEADER] = token;
+				 }
+				 return originalFetch.call(this, input, options);
+			 }
+
+			 return originalFetch.apply(this, arguments);
+		 };
+	 }
+ }());
+
 
  if (!Array.prototype.indexOf) {
      Array.prototype.indexOf = function (searchElement /*, fromIndex */ ) {

From 5ecea458efcc0e05592786b559f33e2563edaf8c Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 09:18:42 +0300
Subject: [PATCH 06/23] AMP-31141 : Re-enable and redesign CSRF protection for
 state-changing web flows

---
 .../onepager/web/pages/AmpHeaderFooter.java   |  2 +-
 .../web/pages/AmpPMHeaderFooter.java          |  2 +-
 .../WEB-INF/jsp/aim/view/scripts/common.js    | 44 +++++++++++++++++++
 amp/static/aim/view/scripts/common.js         | 44 +++++++++++++++++++
 4 files changed, 90 insertions(+), 2 deletions(-)

diff --git a/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java b/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java
index 0a0437fe794..f196fbf1767 100644
--- a/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java
+++ b/amp/src/main/java/org/dgfoundation/amp/onepager/web/pages/AmpHeaderFooter.java
@@ -86,7 +86,7 @@ protected void setHeaders(WebResponse response) {
     public void renderHead(IHeaderResponse response) {
         super.renderHead(response);
         YuiLib.load(response);
-        response.render(JavaScriptHeaderItem.forUrl("/static/aim/view/scripts/common.js"));
+        response.render(JavaScriptHeaderItem.forUrl("/static/aim/view/scripts/common.js?csrf=1"));
         response.render(JavaScriptHeaderItem.forUrl("/ckeditor_4.4.6/ckeditor.js"));
         response.render(JavaScriptHeaderItem.forUrl("/TEMPLATE/ampTemplate/js_2/opentip/opentip-jquery2-4-6.js"));
         response.render(JavaScriptHeaderItem.forReference(new PackageResourceReference(AmpStructuresFormSectionFeature.class, "gisPopup.js")));
diff --git a/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java b/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java
index 774bb2e0bee..adeb3f97fa8 100644
--- a/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java
+++ b/amp/src/main/java/org/dgfoundation/amp/permissionmanager/web/pages/AmpPMHeaderFooter.java
@@ -90,7 +90,7 @@ protected void setHeaders(WebResponse response) {
     @Override
     public void renderHead(IHeaderResponse response) {
         super.renderHead(response);
-        response.render(JavaScriptHeaderItem.forUrl("/static/aim/view/scripts/common.js"));
+        response.render(JavaScriptHeaderItem.forUrl("/static/aim/view/scripts/common.js?csrf=1"));
         response.render(JavaScriptHeaderItem.forUrl("/ckeditor/ckeditor.js"));
         response.render(JavaScriptHeaderItem.forUrl("/TEMPLATE/ampTemplate/js_2/opentip/opentip-jquery2-4-6.js"));
         response.render(JavaScriptHeaderItem.forReference(new PackageResourceReference(AmpStructuresFormSectionFeature.class, "gisPopup.js")));
diff --git a/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js b/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
index 8b23ae13bfc..50103be6547 100644
--- a/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
+++ b/amp/src/main/webapp/WEB-INF/jsp/aim/view/scripts/common.js
@@ -62,6 +62,50 @@
 		 tokenInput.value = token;
 	 }
 
+	 function setCsrfHeader(jqXHR) {
+		 var token = getCsrfToken();
+		 if (token && jqXHR && jqXHR.setRequestHeader) {
+			 try {
+				 jqXHR.setRequestHeader(CSRF_HEADER, token);
+			 } catch (ignored) {
+			 }
+		 }
+	 }
+
+	 function installWicketCsrfProtection() {
+		 if (window.ampWicketCsrfProtectionInstalled) {
+			 return true;
+		 }
+		 if (!window.Wicket || !Wicket.Event || !Wicket.Event.subscribe || !Wicket.Event.Topic) {
+			 return false;
+		 }
+
+		 window.ampWicketCsrfProtectionInstalled = true;
+		 Wicket.Event.subscribe(Wicket.Event.Topic.AJAX_CALL_BEFORE_SEND, function (event, attrs, jqXHR, settings) {
+			 var method = settings && settings.type ? settings.type : (attrs && attrs.mp ? "POST" : attrs && attrs.m);
+			 var url = settings && settings.url ? settings.url : attrs && attrs.u;
+			 if (!isUnsafeMethod(method) || !isSameOrigin(url)) {
+				 return;
+			 }
+
+			 setCsrfHeader(jqXHR);
+			 if (attrs && attrs.mp && attrs.f) {
+				 addCsrfToForm(Wicket.$ ? Wicket.$(attrs.f) : document.getElementById(attrs.f));
+			 }
+		 });
+		 return true;
+	 }
+
+	 if (!installWicketCsrfProtection()) {
+		 var wicketInstallRetries = 40;
+		 var wicketInstallTimer = window.setInterval(function () {
+			 wicketInstallRetries--;
+			 if (installWicketCsrfProtection() || wicketInstallRetries <= 0) {
+				 window.clearInterval(wicketInstallTimer);
+			 }
+		 }, 50);
+	 }
+
 	 if (document.addEventListener) {
 		 document.addEventListener("submit", function (event) {
 			 addCsrfToForm(event.target);
diff --git a/amp/static/aim/view/scripts/common.js b/amp/static/aim/view/scripts/common.js
index 8b23ae13bfc..50103be6547 100644
--- a/amp/static/aim/view/scripts/common.js
+++ b/amp/static/aim/view/scripts/common.js
@@ -62,6 +62,50 @@
 		 tokenInput.value = token;
 	 }
 
+	 function setCsrfHeader(jqXHR) {
+		 var token = getCsrfToken();
+		 if (token && jqXHR && jqXHR.setRequestHeader) {
+			 try {
+				 jqXHR.setRequestHeader(CSRF_HEADER, token);
+			 } catch (ignored) {
+			 }
+		 }
+	 }
+
+	 function installWicketCsrfProtection() {
+		 if (window.ampWicketCsrfProtectionInstalled) {
+			 return true;
+		 }
+		 if (!window.Wicket || !Wicket.Event || !Wicket.Event.subscribe || !Wicket.Event.Topic) {
+			 return false;
+		 }
+
+		 window.ampWicketCsrfProtectionInstalled = true;
+		 Wicket.Event.subscribe(Wicket.Event.Topic.AJAX_CALL_BEFORE_SEND, function (event, attrs, jqXHR, settings) {
+			 var method = settings && settings.type ? settings.type : (attrs && attrs.mp ? "POST" : attrs && attrs.m);
+			 var url = settings && settings.url ? settings.url : attrs && attrs.u;
+			 if (!isUnsafeMethod(method) || !isSameOrigin(url)) {
+				 return;
+			 }
+
+			 setCsrfHeader(jqXHR);
+			 if (attrs && attrs.mp && attrs.f) {
+				 addCsrfToForm(Wicket.$ ? Wicket.$(attrs.f) : document.getElementById(attrs.f));
+			 }
+		 });
+		 return true;
+	 }
+
+	 if (!installWicketCsrfProtection()) {
+		 var wicketInstallRetries = 40;
+		 var wicketInstallTimer = window.setInterval(function () {
+			 wicketInstallRetries--;
+			 if (installWicketCsrfProtection() || wicketInstallRetries <= 0) {
+				 window.clearInterval(wicketInstallTimer);
+			 }
+		 }, 50);
+	 }
+
 	 if (document.addEventListener) {
 		 document.addEventListener("submit", function (event) {
 			 addCsrfToForm(event.target);

From 97bb14693969ddd3e0ba7a1c07edca9cf3a8ed5d Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 09:51:51 +0300
Subject: [PATCH 07/23] AMP-31141 : Activity form not saving due to CSRF

---
 .../amp/onepager/OnePagerApp.java             | 45 ++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java b/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
index dbbb3902cf4..0e73c3ce390 100644
--- a/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
+++ b/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
@@ -7,9 +7,12 @@
 import org.apache.log4j.Logger;
 import org.apache.wicket.*;
 import org.apache.wicket.ajax.AjaxRequestTarget;
+import org.apache.wicket.ajax.attributes.AjaxCallListener;
+import org.apache.wicket.ajax.attributes.AjaxRequestAttributes;
 import org.apache.wicket.authroles.authentication.AuthenticatedWebApplication;
 import org.apache.wicket.authroles.authentication.AuthenticatedWebSession;
 import org.apache.wicket.authroles.authorization.strategies.role.metadata.MetaDataRoleAuthorizationStrategy;
+import org.apache.wicket.core.util.string.JavaScriptUtils;
 import org.apache.wicket.markup.head.*;
 import org.apache.wicket.markup.html.DecoratingHeaderResponse;
 import org.apache.wicket.markup.html.IHeaderResponseDecorator;
@@ -19,7 +22,6 @@
 import org.apache.wicket.protocol.http.servlet.ServletWebResponse;
 import org.apache.wicket.request.Request;
 import org.apache.wicket.request.Response;
-import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
 import org.apache.wicket.request.cycle.RequestCycle;
 import org.apache.wicket.request.http.WebRequest;
 import org.apache.wicket.request.http.WebResponse;
@@ -29,7 +31,9 @@
 import org.dgfoundation.amp.onepager.web.pages.OnePager;
 import org.dgfoundation.amp.permissionmanager.web.pages.PermissionManager;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.web.csrf.CsrfToken;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.SocketException;
@@ -164,6 +168,7 @@ public void init() {
         //set UTF-8 as the default encoding for all requests
         getRequestCycleSettings().setResponseRequestEncoding("UTF-8");
         getMarkupSettings().setDefaultMarkupEncoding("UTF-8");
+        addSpringCsrfTokenToWicketAjax();
 
 //        getRequestCycleListeners().add(new AbstractRequestCycleListener() {
 //            @Override
@@ -206,6 +211,44 @@ public void render(HeaderItem item) {
         });
     }
 
+    private void addSpringCsrfTokenToWicketAjax() {
+        getAjaxRequestTargetListeners().add(new AjaxRequestTarget.AbstractListener() {
+            @Override
+            public void updateAjaxAttributes(AjaxRequestAttributes attributes) {
+                CsrfToken token = getCurrentSpringCsrfToken();
+                if (token == null) {
+                    return;
+                }
+
+                String parameterName = escapeJavaScript(token.getParameterName());
+                String tokenValue = escapeJavaScript(token.getToken());
+                attributes.getDynamicExtraParameters().add(
+                        "var method = attrs && attrs.mp ? 'POST' : (attrs && attrs.m ? attrs.m : 'GET');"
+                                + "if (method.toUpperCase() !== 'POST') { return {}; }"
+                                + "return [{name:'" + parameterName + "', value:'" + tokenValue + "'}];");
+
+                AjaxCallListener listener = new AjaxCallListener();
+                listener.onBeforeSend("if (jqXHR && jqXHR.setRequestHeader) { jqXHR.setRequestHeader('"
+                        + escapeJavaScript(token.getHeaderName()) + "', '" + tokenValue + "'); }");
+                attributes.getAjaxCallListeners().add(listener);
+            }
+        });
+    }
+
+    private CsrfToken getCurrentSpringCsrfToken() {
+        RequestCycle requestCycle = RequestCycle.get();
+        if (requestCycle == null || !(requestCycle.getRequest() instanceof ServletWebRequest)) {
+            return null;
+        }
+
+        HttpServletRequest request = ((ServletWebRequest) requestCycle.getRequest()).getContainerRequest();
+        return (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+    }
+
+    private String escapeJavaScript(CharSequence value) {
+        return JavaScriptUtils.escapeQuotes(value).toString();
+    }
+
 
     @Override
     public final Session newSession(Request request, Response response) {

From 0a70668edfac8354dcfbccfebb272af8b592c98d Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 10:46:52 +0300
Subject: [PATCH 08/23] AMP-31141 : Activity form not saving due to CSRF

---
 .../org/dgfoundation/amp/onepager/OnePagerApp.java | 14 ++++++++++++++
 .../security/csrf/AmpWebCsrfRequestMatcher.java    | 10 ++++++++++
 2 files changed, 24 insertions(+)

diff --git a/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java b/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
index 0e73c3ce390..92975b7e1ba 100644
--- a/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
+++ b/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
@@ -17,6 +17,7 @@
 import org.apache.wicket.markup.html.DecoratingHeaderResponse;
 import org.apache.wicket.markup.html.IHeaderResponseDecorator;
 import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener;
 import org.apache.wicket.protocol.http.servlet.ResponseIOException;
 import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
 import org.apache.wicket.protocol.http.servlet.ServletWebResponse;
@@ -169,6 +170,7 @@ public void init() {
         getRequestCycleSettings().setResponseRequestEncoding("UTF-8");
         getMarkupSettings().setDefaultMarkupEncoding("UTF-8");
         addSpringCsrfTokenToWicketAjax();
+        addWicketCsrfProtection();
 
 //        getRequestCycleListeners().add(new AbstractRequestCycleListener() {
 //            @Override
@@ -249,6 +251,18 @@ private String escapeJavaScript(CharSequence value) {
         return JavaScriptUtils.escapeQuotes(value).toString();
     }
 
+    /**
+     * Register Wicket's own Origin/Referer-based CSRF protection for all Wicket
+     * action requests. Spring CSRF is exempted for /wicket/** in AmpWebCsrfRequestMatcher;
+     * this listener enforces same-origin policy at the Wicket layer instead.
+     */
+    private void addWicketCsrfProtection() {
+        CsrfPreventionRequestCycleListener csrfListener = new CsrfPreventionRequestCycleListener();
+        // Allow requests that have no Origin/Referer header (curl, server-side calls, old proxies)
+        csrfListener.setNoOriginAction(CsrfPreventionRequestCycleListener.CsrfAction.ALLOW);
+        getRequestCycleListeners().add(csrfListener);
+    }
+
 
     @Override
     public final Session newSession(Request request, Response response) {
diff --git a/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java b/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
index ddd5bf54c4b..d44f1e0e0a6 100644
--- a/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
+++ b/amp/src/main/java/org/digijava/kernel/security/csrf/AmpWebCsrfRequestMatcher.java
@@ -15,6 +15,12 @@ public class AmpWebCsrfRequestMatcher implements RequestMatcher {
 
     private static final Set<String> SAFE_METHODS = new HashSet<>(Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS"));
 
+    /**
+     * Wicket paths are protected by Wicket's own CsrfPreventionRequestCycleListener
+     * (Origin/Referer header check) registered in OnePagerApp. Spring CSRF is not needed there.
+     */
+    private final AntPathRequestMatcher wicketMatcher = new AntPathRequestMatcher("/wicket/**");
+
     private final RequestMatcher readOnlyPostMatcher = new OrRequestMatcher(
             new AntPathRequestMatcher("/search/search.do", "POST"),
             new AntPathRequestMatcher("/aim/filterDesktopActivities.do", "POST"),
@@ -29,6 +35,10 @@ public class AmpWebCsrfRequestMatcher implements RequestMatcher {
 
     @Override
     public boolean matches(HttpServletRequest request) {
+        // Wicket paths handled by Wicket's CsrfPreventionRequestCycleListener
+        if (wicketMatcher.matches(request)) {
+            return false;
+        }
         if (isPublicDocTabManagerStateChange(request)) {
             return true;
         }

From 0103f69c3c759e27b0e949c1ce02ad097c072229 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 11:33:23 +0300
Subject: [PATCH 09/23] AMP-31140 : CSRF protection on REST endpoints

---
 amp/context.xml                               |   6 +-
 .../security/csrf/RestCsrfOriginFilter.java   | 153 ++++++++++++++++++
 amp/src/main/webapp/WEB-INF/web.xml           |  13 +-
 3 files changed, 169 insertions(+), 3 deletions(-)
 create mode 100644 amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java

diff --git a/amp/context.xml b/amp/context.xml
index 72eb3a2099f..ac48b2a4f43 100644
--- a/amp/context.xml
+++ b/amp/context.xml
@@ -4,7 +4,11 @@
 allowLinking="true" antiJARLocking="" antiResourceLocking="" clearReferencesStopTimerThreads="true"
 clearReferencesThreadLocals="true" jndiExceptionOnFailedWrite="false" processTlds="false">
   <Environment name="hostname" value="" type="java.lang.String"/> 
-  
+
+  <!-- SameSite=Lax: browser will not send the session cookie on cross-site
+       POST/PUT/DELETE requests, providing CSRF protection for all endpoints
+       including /rest/** without requiring any token in requests. -->
+  <CookieProcessor sameSiteCookies="lax" />
   <!-- PostgreSQL connection -->
   <Resource factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" 
   	defaultTransactionIsolation="READ_COMMITTED" 
diff --git a/amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java b/amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java
new file mode 100644
index 00000000000..bbb1b79624e
--- /dev/null
+++ b/amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java
@@ -0,0 +1,153 @@
+package org.digijava.kernel.security.csrf;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * CSRF protection for the /rest/** Jersey endpoints.
+ *
+ * <p>Spring Security is bypassed for /rest/** (security="none"), so this filter
+ * provides Origin/Referer-based same-origin enforcement instead.
+ *
+ * <p>Strategy:
+ * <ul>
+ *   <li>Safe HTTP methods (GET, HEAD, OPTIONS, TRACE) are always allowed.</li>
+ *   <li>If no Origin or Referer header is present the request is allowed — this
+ *       covers non-browser clients (curl, server-to-server, mobile apps) that
+ *       never send those headers.</li>
+ *   <li>If Origin is present and matches the server host the request is allowed.</li>
+ *   <li>If Origin is present and does NOT match the server host the request is
+ *       rejected with 403.</li>
+ *   <li>If Origin is absent but Referer is present and does not match, the request
+ *       is rejected.</li>
+ * </ul>
+ */
+public class RestCsrfOriginFilter implements Filter {
+
+    private static final Set<String> SAFE_METHODS =
+            new HashSet<>(Arrays.asList("GET", "HEAD", "OPTIONS", "TRACE"));
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // no initialisation required
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest,
+                         ServletResponse servletResponse,
+                         FilterChain chain) throws IOException, ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+
+        String method = request.getMethod();
+        if (method == null || SAFE_METHODS.contains(method.toUpperCase(Locale.ROOT))) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        String originHeader = request.getHeader("Origin");
+        String refererHeader = request.getHeader("Referer");
+
+        // No Origin and no Referer: non-browser client — allow
+        if ((originHeader == null || originHeader.isEmpty())
+                && (refererHeader == null || refererHeader.isEmpty())) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        String expectedHost = getServerHost(request);
+
+        // Check Origin first (most reliable)
+        if (originHeader != null && !originHeader.isEmpty()) {
+            // "null" Origin comes from privacy-sensitive contexts (file://, data:) - allow
+            if ("null".equals(originHeader)) {
+                chain.doFilter(request, response);
+                return;
+            }
+            if (hostMatches(originHeader, expectedHost)) {
+                chain.doFilter(request, response);
+            } else {
+                response.sendError(HttpServletResponse.SC_FORBIDDEN,
+                        "CSRF check failed: Origin header does not match server host");
+            }
+            return;
+        }
+
+        // Fall back to Referer if Origin is absent
+        if (refererHeader != null && !refererHeader.isEmpty()) {
+            if (hostMatches(refererHeader, expectedHost)) {
+                chain.doFilter(request, response);
+            } else {
+                response.sendError(HttpServletResponse.SC_FORBIDDEN,
+                        "CSRF check failed: Referer header does not match server host");
+            }
+            return;
+        }
+
+        // Should not reach here given earlier checks, but allow by default
+        chain.doFilter(request, response);
+    }
+
+    /**
+     * Returns "host[:port]" for the current request, normalising default ports
+     * (80 for http, 443 for https) so they are omitted from comparison.
+     */
+    private String getServerHost(HttpServletRequest request) {
+        String scheme = request.getScheme().toLowerCase(Locale.ROOT);
+        String host = request.getServerName().toLowerCase(Locale.ROOT);
+        int port = request.getServerPort();
+        if (("http".equals(scheme) && port == 80)
+                || ("https".equals(scheme) && port == 443)) {
+            return host;
+        }
+        return host + ":" + port;
+    }
+
+    /**
+     * Extracts the "host[:port]" from an Origin or Referer header value and
+     * compares it against the expected server host string.
+     */
+    private boolean hostMatches(String headerValue, String expectedHost) {
+        try {
+            URI uri = new URI(headerValue.trim());
+            String scheme = uri.getScheme() != null
+                    ? uri.getScheme().toLowerCase(Locale.ROOT) : "";
+            String uriHost = uri.getHost() != null
+                    ? uri.getHost().toLowerCase(Locale.ROOT) : "";
+            int uriPort = uri.getPort(); // -1 if absent
+
+            String normalised;
+            if (uriPort == -1
+                    || ("http".equals(scheme) && uriPort == 80)
+                    || ("https".equals(scheme) && uriPort == 443)) {
+                normalised = uriHost;
+            } else {
+                normalised = uriHost + ":" + uriPort;
+            }
+            return expectedHost.equals(normalised);
+        } catch (URISyntaxException e) {
+            // Malformed header — treat as non-matching for safety
+            return false;
+        }
+    }
+
+    @Override
+    public void destroy() {
+        // nothing to clean up
+    }
+}
diff --git a/amp/src/main/webapp/WEB-INF/web.xml b/amp/src/main/webapp/WEB-INF/web.xml
index 974f3e0cb3a..130bfe70d14 100644
--- a/amp/src/main/webapp/WEB-INF/web.xml
+++ b/amp/src/main/webapp/WEB-INF/web.xml
@@ -47,8 +47,17 @@
 			org.dgfoundation.amp.error.keeper.DigiXmlECSLoaderListener
 		</listener-class>
 	</listener>
-	<!--                 SEGMENT END                 -->
-	<!--  ADD ENTRIES BELOW -->
+
+        <!-- CSRF Origin/Referer check for /rest/** (Spring Security is bypassed there) -->
+        <filter>
+                <filter-name>restCsrfOriginFilter</filter-name>
+                <filter-class>org.digijava.kernel.security.csrf.RestCsrfOriginFilter</filter-class>
+        </filter>
+        <filter-mapping>
+                <filter-name>restCsrfOriginFilter</filter-name>
+                <url-pattern>/rest/*</url-pattern>
+                <dispatcher>REQUEST</dispatcher>
+        </filter-mapping>
 
 	<filter>
 		<filter-name>characterEncodingFilter</filter-name>

From e4659419f95950f645ecb395094fd5e03f7f18ea Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 13:26:38 +0300
Subject: [PATCH 10/23] AMP-31140 : CSRF protection on REST endpoints

---
 .../endpoints/security/ActionAuthorizer.java  |  12 ++
 .../AuthorizerResourceFilterFactory.java      | 110 ++++++++++++-
 .../security/csrf/RestCsrfOriginFilter.java   | 153 ------------------
 amp/src/main/webapp/WEB-INF/web.xml           |  11 --
 4 files changed, 121 insertions(+), 165 deletions(-)
 delete mode 100644 amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java

diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
index 3c636567df4..23624380823 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
@@ -39,6 +39,18 @@ public class ActionAuthorizer {
             .addRuleDependency(AuthRule.VIEW_ACTIVITY, AuthRule.IN_WORKSPACE)
             .build();
 
+    /**
+     * Returns true if the given ApiMethod requires an authenticated user session.
+     * Used by request filters to decide whether CSRF protection is warranted.
+     */
+    public static boolean requiresAuthentication(ApiMethod apiMethod) {
+        if (apiMethod.authTypes().length == 0) {
+            return false;
+        }
+        Collection<AuthRule> authRules = ruleHierarchy.getEffectiveRules(apiMethod.authTypes());
+        return authRules.contains(AuthRule.AUTHENTICATED);
+    }
+
     /**
      * Main process to give authorization to call current method based on its authorization rules 
      * @param method the method to authorize
diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/AuthorizerResourceFilterFactory.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/AuthorizerResourceFilterFactory.java
index 203d82769fc..e55fab92928 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/AuthorizerResourceFilterFactory.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/AuthorizerResourceFilterFactory.java
@@ -7,12 +7,22 @@
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.ResourceInfo;
 import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
 import java.io.IOException;
 import java.lang.reflect.Method;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
 
 
 public class AuthorizerResourceFilterFactory implements ContainerRequestFilter {
 
+    private static final Set<String> CSRF_SAFE_METHODS =
+            new HashSet<>(Arrays.asList("GET", "HEAD", "OPTIONS", "TRACE"));
+
     @Context
     private ResourceInfo resourceInfo;
 
@@ -21,7 +31,105 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
         Method method = resourceInfo.getResourceMethod();
         ApiMethod apiMethod = method.getAnnotation(ApiMethod.class);
         if (apiMethod != null) {
+            // Enforce CSRF same-origin check for authenticated endpoints.
+            // Public/unauthenticated endpoints (authTypes empty or absent) are exempt
+            // because there is no privileged session to hijack.
+            if (ActionAuthorizer.requiresAuthentication(apiMethod) && !isSameOrigin(requestContext)) {
+                requestContext.abortWith(Response.status(Response.Status.FORBIDDEN)
+                        .entity("CSRF check failed: cross-origin request rejected").build());
+                return;
+            }
             ActionAuthorizer.authorize(method, apiMethod, (ContainerRequest) requestContext.getRequest());
         }
     }
-}
\ No newline at end of file
+
+    /**
+     * Returns true when the request is same-origin or comes from a non-browser client.
+     * Blocks only when {@code Origin} or {@code Referer} is present but does not match
+     * the server host — the signature of a cross-site browser request.
+     */
+    private boolean isSameOrigin(ContainerRequestContext requestContext) {
+        String httpMethod = requestContext.getMethod();
+        if (httpMethod == null || CSRF_SAFE_METHODS.contains(httpMethod.toUpperCase(Locale.ROOT))) {
+            return true;
+        }
+
+        String origin = requestContext.getHeaderString("Origin");
+        String referer = requestContext.getHeaderString("Referer");
+
+        // No Origin and no Referer: non-browser client (curl, server-to-server) — allow
+        if ((origin == null || origin.isEmpty()) && (referer == null || referer.isEmpty())) {
+            return true;
+        }
+
+        String expectedHost = getServerHost(requestContext);
+
+        if (origin != null && !origin.isEmpty()) {
+            // "null" Origin comes from privacy-sensitive contexts (file://, data:) — allow
+            if ("null".equals(origin)) {
+                return true;
+            }
+            return hostMatches(origin, expectedHost);
+        }
+
+        if (referer != null && !referer.isEmpty()) {
+            return hostMatches(referer, expectedHost);
+        }
+
+        return true;
+    }
+
+    /**
+     * Resolves the expected server host from the request, preferring the
+     * {@code X-Forwarded-Host} and {@code Host} headers so the check works
+     * correctly behind reverse proxies.
+     */
+    private String getServerHost(ContainerRequestContext requestContext) {
+        String forwarded = requestContext.getHeaderString("X-Forwarded-Host");
+        if (forwarded != null && !forwarded.isEmpty()) {
+            String first = forwarded.split(",")[0].trim().toLowerCase(Locale.ROOT);
+            if (!first.isEmpty()) {
+                return first;
+            }
+        }
+
+        String host = requestContext.getHeaderString("Host");
+        if (host != null && !host.isEmpty()) {
+            return host.trim().toLowerCase(Locale.ROOT);
+        }
+
+        // Fallback: derive from the JAX-RS request URI (works for direct connections)
+        URI requestUri = requestContext.getUriInfo().getRequestUri();
+        String scheme = requestUri.getScheme().toLowerCase(Locale.ROOT);
+        String uriHost = requestUri.getHost().toLowerCase(Locale.ROOT);
+        int port = requestUri.getPort();
+        if (port == -1
+                || ("http".equals(scheme) && port == 80)
+                || ("https".equals(scheme) && port == 443)) {
+            return uriHost;
+        }
+        return uriHost + ":" + port;
+    }
+
+    private boolean hostMatches(String headerValue, String expectedHost) {
+        try {
+            URI uri = new URI(headerValue.trim());
+            String scheme = uri.getScheme() != null ? uri.getScheme().toLowerCase(Locale.ROOT) : "";
+            String uriHost = uri.getHost() != null ? uri.getHost().toLowerCase(Locale.ROOT) : "";
+            int uriPort = uri.getPort();
+
+            String normalised;
+            if (uriPort == -1
+                    || ("http".equals(scheme) && uriPort == 80)
+                    || ("https".equals(scheme) && uriPort == 443)) {
+                normalised = uriHost;
+            } else {
+                normalised = uriHost + ":" + uriPort;
+            }
+            return expectedHost.equals(normalised);
+        } catch (URISyntaxException e) {
+            // Malformed header — treat as non-matching for safety
+            return false;
+        }
+    }
+}
diff --git a/amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java b/amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java
deleted file mode 100644
index bbb1b79624e..00000000000
--- a/amp/src/main/java/org/digijava/kernel/security/csrf/RestCsrfOriginFilter.java
+++ /dev/null
@@ -1,153 +0,0 @@
-package org.digijava.kernel.security.csrf;
-
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Locale;
-import java.util.Set;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * CSRF protection for the /rest/** Jersey endpoints.
- *
- * <p>Spring Security is bypassed for /rest/** (security="none"), so this filter
- * provides Origin/Referer-based same-origin enforcement instead.
- *
- * <p>Strategy:
- * <ul>
- *   <li>Safe HTTP methods (GET, HEAD, OPTIONS, TRACE) are always allowed.</li>
- *   <li>If no Origin or Referer header is present the request is allowed — this
- *       covers non-browser clients (curl, server-to-server, mobile apps) that
- *       never send those headers.</li>
- *   <li>If Origin is present and matches the server host the request is allowed.</li>
- *   <li>If Origin is present and does NOT match the server host the request is
- *       rejected with 403.</li>
- *   <li>If Origin is absent but Referer is present and does not match, the request
- *       is rejected.</li>
- * </ul>
- */
-public class RestCsrfOriginFilter implements Filter {
-
-    private static final Set<String> SAFE_METHODS =
-            new HashSet<>(Arrays.asList("GET", "HEAD", "OPTIONS", "TRACE"));
-
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
-        // no initialisation required
-    }
-
-    @Override
-    public void doFilter(ServletRequest servletRequest,
-                         ServletResponse servletResponse,
-                         FilterChain chain) throws IOException, ServletException {
-
-        HttpServletRequest request = (HttpServletRequest) servletRequest;
-        HttpServletResponse response = (HttpServletResponse) servletResponse;
-
-        String method = request.getMethod();
-        if (method == null || SAFE_METHODS.contains(method.toUpperCase(Locale.ROOT))) {
-            chain.doFilter(request, response);
-            return;
-        }
-
-        String originHeader = request.getHeader("Origin");
-        String refererHeader = request.getHeader("Referer");
-
-        // No Origin and no Referer: non-browser client — allow
-        if ((originHeader == null || originHeader.isEmpty())
-                && (refererHeader == null || refererHeader.isEmpty())) {
-            chain.doFilter(request, response);
-            return;
-        }
-
-        String expectedHost = getServerHost(request);
-
-        // Check Origin first (most reliable)
-        if (originHeader != null && !originHeader.isEmpty()) {
-            // "null" Origin comes from privacy-sensitive contexts (file://, data:) - allow
-            if ("null".equals(originHeader)) {
-                chain.doFilter(request, response);
-                return;
-            }
-            if (hostMatches(originHeader, expectedHost)) {
-                chain.doFilter(request, response);
-            } else {
-                response.sendError(HttpServletResponse.SC_FORBIDDEN,
-                        "CSRF check failed: Origin header does not match server host");
-            }
-            return;
-        }
-
-        // Fall back to Referer if Origin is absent
-        if (refererHeader != null && !refererHeader.isEmpty()) {
-            if (hostMatches(refererHeader, expectedHost)) {
-                chain.doFilter(request, response);
-            } else {
-                response.sendError(HttpServletResponse.SC_FORBIDDEN,
-                        "CSRF check failed: Referer header does not match server host");
-            }
-            return;
-        }
-
-        // Should not reach here given earlier checks, but allow by default
-        chain.doFilter(request, response);
-    }
-
-    /**
-     * Returns "host[:port]" for the current request, normalising default ports
-     * (80 for http, 443 for https) so they are omitted from comparison.
-     */
-    private String getServerHost(HttpServletRequest request) {
-        String scheme = request.getScheme().toLowerCase(Locale.ROOT);
-        String host = request.getServerName().toLowerCase(Locale.ROOT);
-        int port = request.getServerPort();
-        if (("http".equals(scheme) && port == 80)
-                || ("https".equals(scheme) && port == 443)) {
-            return host;
-        }
-        return host + ":" + port;
-    }
-
-    /**
-     * Extracts the "host[:port]" from an Origin or Referer header value and
-     * compares it against the expected server host string.
-     */
-    private boolean hostMatches(String headerValue, String expectedHost) {
-        try {
-            URI uri = new URI(headerValue.trim());
-            String scheme = uri.getScheme() != null
-                    ? uri.getScheme().toLowerCase(Locale.ROOT) : "";
-            String uriHost = uri.getHost() != null
-                    ? uri.getHost().toLowerCase(Locale.ROOT) : "";
-            int uriPort = uri.getPort(); // -1 if absent
-
-            String normalised;
-            if (uriPort == -1
-                    || ("http".equals(scheme) && uriPort == 80)
-                    || ("https".equals(scheme) && uriPort == 443)) {
-                normalised = uriHost;
-            } else {
-                normalised = uriHost + ":" + uriPort;
-            }
-            return expectedHost.equals(normalised);
-        } catch (URISyntaxException e) {
-            // Malformed header — treat as non-matching for safety
-            return false;
-        }
-    }
-
-    @Override
-    public void destroy() {
-        // nothing to clean up
-    }
-}
diff --git a/amp/src/main/webapp/WEB-INF/web.xml b/amp/src/main/webapp/WEB-INF/web.xml
index 130bfe70d14..1fff2ca99f7 100644
--- a/amp/src/main/webapp/WEB-INF/web.xml
+++ b/amp/src/main/webapp/WEB-INF/web.xml
@@ -48,17 +48,6 @@
 		</listener-class>
 	</listener>
 
-        <!-- CSRF Origin/Referer check for /rest/** (Spring Security is bypassed there) -->
-        <filter>
-                <filter-name>restCsrfOriginFilter</filter-name>
-                <filter-class>org.digijava.kernel.security.csrf.RestCsrfOriginFilter</filter-class>
-        </filter>
-        <filter-mapping>
-                <filter-name>restCsrfOriginFilter</filter-name>
-                <url-pattern>/rest/*</url-pattern>
-                <dispatcher>REQUEST</dispatcher>
-        </filter-mapping>
-
 	<filter>
 		<filter-name>characterEncodingFilter</filter-name>
 		<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>

From e84e47de73ee3b0721eb7e3e7fce09871257834b Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 14:16:30 +0300
Subject: [PATCH 11/23] AMP-31142 : Modernize authentication handling

---
 .../endpoints/security/ActionAuthorizer.java  |  4 ++--
 .../endpoints/security/ApiAuthentication.java |  2 +-
 .../endpoints/security/SecurityService.java   | 23 +++++++++++++------
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
index 23624380823..6b42e64c85f 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
@@ -31,7 +31,7 @@
  */
 public class ActionAuthorizer {
 
-    protected static final Logger logger = Logger.getLogger(ActionAuthorizer.class);
+    private static final Logger logger = Logger.getLogger(ActionAuthorizer.class);
     
     private static RuleHierarchy<AuthRule> ruleHierarchy = new RuleHierarchy.Builder<AuthRule>()
             .addRuleDependency(AuthRule.IN_WORKSPACE, AuthRule.AUTHENTICATED)
@@ -64,7 +64,7 @@ public static void authorize(Method method, ApiMethod apiMethod, ContainerReques
         }
 
         Collection<AuthRule> authRules = ruleHierarchy.getEffectiveRules(apiMethod.authTypes());
-        logger.info("Authenticated: "+AuthRule.AUTHENTICATED +"User: "+TeamUtil.getCurrentUser());
+        logger.debug("Authenticated: " + AuthRule.AUTHENTICATED + " User: " + TeamUtil.getCurrentUser());
 
         if (authRules.contains(AuthRule.AUTHENTICATED) && TeamUtil.getCurrentUser() == null) {
             ApiErrorResponseService.reportUnauthorisedAccess(SecurityErrors.NOT_AUTHENTICATED);
diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ApiAuthentication.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ApiAuthentication.java
index aa263297899..0ed4b0bbcc3 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ApiAuthentication.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ApiAuthentication.java
@@ -27,7 +27,7 @@
  */
 public final class ApiAuthentication {
 
-    protected static Logger logger = Logger.getLogger(ApiAuthentication.class);
+    private static final Logger logger = Logger.getLogger(ApiAuthentication.class);
 
     public static ApiErrorMessage login(final User currentUser, final HttpServletRequest request) {
         ApiErrorMessage errorMessage = performSecurityChecks(currentUser, request);
diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/SecurityService.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/SecurityService.java
index d5483fda4c5..85c1af99356 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/SecurityService.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/SecurityService.java
@@ -38,8 +38,11 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 import java.util.stream.Collectors;
 
 import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
@@ -203,7 +206,11 @@ public UserSessionInformation authenticate(AuthenticationRequest authRequest) {
         }
     
         User user = UserUtils.getUserByEmailAddress(username);
-        if (user == null || !user.getPassword().equals(password)) {
+        String storedPassword = (user != null && user.getPassword() != null) ? user.getPassword() : "";
+        boolean passwordMatches = MessageDigest.isEqual(
+                storedPassword.toLowerCase(Locale.ROOT).getBytes(StandardCharsets.UTF_8),
+                password.toLowerCase(Locale.ROOT).getBytes(StandardCharsets.UTF_8));
+        if (user == null || !passwordMatches) {
             ApiErrorResponseService.reportForbiddenAccess(SecurityErrors.INVALID_USER_PASSWORD);
         }
     
@@ -219,7 +226,7 @@ public UserSessionInformation authenticate(AuthenticationRequest authRequest) {
             ApiErrorResponseService.reportError(BAD_REQUEST, SecurityErrors.INVALID_TEAM);
         }
     
-        storeInSession(username, password, teamMember, user);
+        storeInSession(username, teamMember, user);
         String ampTeamName = (teamMember == null) ? null : teamMember.getAmpTeam().getName();
         boolean isAdmin = user.isGlobalAdmin();
         return SecurityService.getInstance().createUserSessionInformation(isAdmin, user, ampTeamName, true);
@@ -240,11 +247,13 @@ private AmpTeamMember getAmpTeamMember(String username, Long workspaceId) {
         return teamMember;
     }
     
-    private void storeInSession(String username, String password, AmpTeamMember teamMember, User user) {
-        final UsernamePasswordAuthenticationToken authRequest =
-                new UsernamePasswordAuthenticationToken(username, password);
-        authRequest.setDetails(new WebAuthenticationDetails(TLSUtils.getRequest()));
-        SecurityContextHolder.getContext().setAuthentication(authRequest);
+    private void storeInSession(String username, AmpTeamMember teamMember, User user) {
+        // Do not pass credentials to the token — the submitted hash must not be
+        // stored in the Spring Security context or serialised into the session.
+        final UsernamePasswordAuthenticationToken authToken =
+                new UsernamePasswordAuthenticationToken(username, null);
+        authToken.setDetails(new WebAuthenticationDetails(TLSUtils.getRequest()));
+        SecurityContextHolder.getContext().setAuthentication(authToken);
         final HttpSession session = TLSUtils.getRequest().getSession();
         PermissionUtil.putInScope(session, GatePermConst.ScopeKeys.CURRENT_MEMBER, teamMember);
         if (teamMember != null) {

From e5fa1c7c8b0e3a086ed49f1449c0fa9694bf9e12 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 14:30:40 +0300
Subject: [PATCH 12/23] AMP-31143 : Restore browser hardening headers and
 document cookie and HTTPS policy.

---
 .../amp/onepager/OnePagerApp.java             |  19 +---
 .../kernel/web/SecurityHeadersFilter.java     | 103 ++++++++++++++++++
 amp/src/main/webapp/WEB-INF/web.xml           |  25 +++++
 3 files changed, 131 insertions(+), 16 deletions(-)
 create mode 100644 amp/src/main/java/org/digijava/kernel/web/SecurityHeadersFilter.java

diff --git a/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java b/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
index 92975b7e1ba..d418fba54d0 100644
--- a/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
+++ b/amp/src/main/java/org/dgfoundation/amp/onepager/OnePagerApp.java
@@ -172,22 +172,9 @@ public void init() {
         addSpringCsrfTokenToWicketAjax();
         addWicketCsrfProtection();
 
-//        getRequestCycleListeners().add(new AbstractRequestCycleListener() {
-//            @Override
-//            public void onBeginRequest(RequestCycle cycle) {
-//                WebResponse response = (WebResponse) cycle.getResponse();
-//                response.setHeader("Content-Security-Policy",
-//                        "default-src 'self'; " +
-//                                "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
-//                                "style-src 'self' 'unsafe-inline'; " +
-//                                "img-src 'self' data:; " +
-//                                "frame-ancestors 'none'; " +
-//                                "object-src 'none';");
-//                response.setHeader("X-Frame-Options", "SAMEORIGIN");
-//            }
-//        });
-
-
+        // Browser hardening headers (X-Frame-Options, Content-Security-Policy, HSTS, etc.)
+        // are now applied globally by SecurityHeadersFilter registered in web.xml, so no
+        // per-cycle header injection is needed here.
 
         setHeaderResponseDecorator(new IHeaderResponseDecorator() {
             @Override
diff --git a/amp/src/main/java/org/digijava/kernel/web/SecurityHeadersFilter.java b/amp/src/main/java/org/digijava/kernel/web/SecurityHeadersFilter.java
new file mode 100644
index 00000000000..7cf8d036478
--- /dev/null
+++ b/amp/src/main/java/org/digijava/kernel/web/SecurityHeadersFilter.java
@@ -0,0 +1,103 @@
+package org.digijava.kernel.web;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * Servlet filter that adds browser-hardening HTTP security headers to every response.
+ *
+ * <p>Headers applied:
+ * <ul>
+ *   <li>{@code X-Content-Type-Options: nosniff} – prevents MIME-type sniffing.</li>
+ *   <li>{@code X-Frame-Options: SAMEORIGIN} – blocks cross-origin iframe embedding.</li>
+ *   <li>{@code X-XSS-Protection: 0} – disables the legacy browser XSS Auditor (which can
+ *       introduce vulnerabilities of its own; modern browsers ignore it in favour of CSP).</li>
+ *   <li>{@code Referrer-Policy: strict-origin-when-cross-origin} – limits referrer
+ *       leakage on cross-origin navigations.</li>
+ *   <li>{@code Content-Security-Policy} – restricts resource origins to reduce XSS and
+ *       data-injection attack surface. {@code 'unsafe-inline'} and {@code 'unsafe-eval'}
+ *       are permitted for scripts and styles because the legacy Wicket/Struts UI embeds
+ *       inline code extensively; tightening these directives requires a separate
+ *       front-end refactor.</li>
+ *   <li>{@code Strict-Transport-Security: max-age=31536000; includeSubDomains} – instructs
+ *       browsers to use HTTPS exclusively for one year. Applied only when the current
+ *       request itself arrived over TLS, so plain-HTTP local environments are not
+ *       immediately broken. See the cookie policy note below.</li>
+ * </ul>
+ *
+ * <p><b>Cookie policy</b>: the session cookie is declared {@code HttpOnly} and
+ * {@code Secure} through {@code <cookie-config>} in {@code web.xml}.
+ * {@code HttpOnly} prevents client-side JavaScript from reading the session token.
+ * {@code Secure} ensures the cookie is only transmitted over HTTPS.
+ *
+ * <p><b>HTTPS requirement</b>: the {@code Secure} cookie flag and HSTS together require
+ * every deployment to terminate TLS. If the application sits behind a TLS-terminating
+ * load-balancer or reverse-proxy, configure it to forward {@code X-Forwarded-Proto:
+ * https}; Tomcat must then be configured with a {@code RemoteIpValve} (or equivalent)
+ * so that {@link HttpServletRequest#isSecure()} returns {@code true} and
+ * {@link javax.servlet.http.HttpServletRequest#getScheme()} returns {@code "https"}.
+ * For local development over plain HTTP, remove the {@code <secure>true</secure>} entry
+ * from the {@code <cookie-config>} in {@code web.xml}.
+ */
+public class SecurityHeadersFilter implements Filter {
+
+    private static final String HSTS_VALUE = "max-age=31536000; includeSubDomains";
+
+    /**
+     * Content-Security-Policy directive applied to every response.
+     *
+     * <p>Directive notes:
+     * <ul>
+     *   <li>{@code frame-ancestors 'self'} is the CSP equivalent of {@code X-Frame-Options:
+     *       SAMEORIGIN} and takes precedence in browsers that support CSP Level 2.</li>
+     *   <li>{@code img-src 'self' data: blob:} is required because several UI components
+     *       embed images as data URIs or object URLs.</li>
+     *   <li>{@code font-src 'self' data:} covers web-fonts bundled as data URIs.</li>
+     * </ul>
+     */
+    private static final String CSP_VALUE =
+            "default-src 'self'; "
+            + "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
+            + "style-src 'self' 'unsafe-inline'; "
+            + "img-src 'self' data: blob:; "
+            + "font-src 'self' data:; "
+            + "connect-src 'self'; "
+            + "frame-ancestors 'self'; "
+            + "object-src 'none';";
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+        httpResponse.setHeader("X-Content-Type-Options", "nosniff");
+        httpResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
+        httpResponse.setHeader("X-XSS-Protection", "0");
+        httpResponse.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+        httpResponse.setHeader("Content-Security-Policy", CSP_VALUE);
+
+        // Only add HSTS when the connection is already secure; sending it over plain
+        // HTTP would lock out users who cannot reach the HTTPS endpoint yet.
+        if (((HttpServletRequest) request).isSecure()) {
+            httpResponse.setHeader("Strict-Transport-Security", HSTS_VALUE);
+        }
+
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    @Override
+    public void destroy() {
+    }
+}
diff --git a/amp/src/main/webapp/WEB-INF/web.xml b/amp/src/main/webapp/WEB-INF/web.xml
index 1fff2ca99f7..b4c7576808b 100644
--- a/amp/src/main/webapp/WEB-INF/web.xml
+++ b/amp/src/main/webapp/WEB-INF/web.xml
@@ -10,8 +10,21 @@
 	<!-- ******************************************* -->
 	<!-- * DO NOT ADD ANYTHING BEFORE THIS SEGMENT * -->
 	<!-- ******************************************* -->
+	<!--
+	  Session cookie policy:
+	    HttpOnly  - prevents client-side JavaScript from reading the session token.
+	    Secure    - restricts cookie transmission to HTTPS connections only.
+	                Remove <secure>true</secure> for local development over plain HTTP.
+	    COOKIE    - disables URL-based session tracking so the session ID never
+	                appears in the request URI.
+	-->
 	<session-config>
 		<session-timeout>5</session-timeout>
+		<cookie-config>
+			<http-only>true</http-only>
+			<secure>true</secure>
+		</cookie-config>
+		<tracking-mode>COOKIE</tracking-mode>
 	</session-config>
 	<filter>
 		<filter-name>javamelody</filter-name>
@@ -33,6 +46,18 @@
 		</listener-class>
 	</listener>
 
+	<!-- Browser-hardening response headers (X-Frame-Options, CSP, HSTS, etc.) -->
+	<filter>
+		<filter-name>securityHeadersFilter</filter-name>
+		<filter-class>org.digijava.kernel.web.SecurityHeadersFilter</filter-class>
+	</filter>
+	<filter-mapping>
+		<filter-name>securityHeadersFilter</filter-name>
+		<url-pattern>/*</url-pattern>
+		<dispatcher>REQUEST</dispatcher>
+		<dispatcher>ERROR</dispatcher>
+	</filter-mapping>
+
 	<filter>
 		<filter-name>gzipRequestFilter</filter-name>
 		<filter-class>org.digijava.kernel.web.gzip.GzipRequestFilter</filter-class>

From 14d4a62ac3cf81bd04a71c5b00c85343a0a73d5e Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 16:10:54 +0300
Subject: [PATCH 13/23] AMP-31141 : Failing to get resources

---
 .../endpoints/resource/ResourceService.java   |  7 +++++-
 .../endpoints/security/ActionAuthorizer.java  |  4 +--
 amp/src/main/webapp/WEB-INF/web.xml           | 25 -------------------
 3 files changed, 8 insertions(+), 28 deletions(-)

diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java
index ce0a84dca30..d2193f95e32 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java
@@ -140,7 +140,12 @@ public List<JsonApiResponse> getAllResources(List<String> uuids) {
         List<JsonApiResponse> resources = new ArrayList<>();
 
         for (String uuid : uuids) {
-            resources.add(getResource(uuid));
+            Node readNode = DocumentManagerUtil.getReadNode(uuid, TLSUtils.getRequest());
+            if (readNode == null) {
+                resources.add(new JsonApiResponse(ApiError.toError(ResourceErrors.RESOURCE_NOT_FOUND)));
+            } else {
+                resources.add(getResource(uuid));
+            }
         }
 
         return resources;
diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
index 6b42e64c85f..23624380823 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/security/ActionAuthorizer.java
@@ -31,7 +31,7 @@
  */
 public class ActionAuthorizer {
 
-    private static final Logger logger = Logger.getLogger(ActionAuthorizer.class);
+    protected static final Logger logger = Logger.getLogger(ActionAuthorizer.class);
     
     private static RuleHierarchy<AuthRule> ruleHierarchy = new RuleHierarchy.Builder<AuthRule>()
             .addRuleDependency(AuthRule.IN_WORKSPACE, AuthRule.AUTHENTICATED)
@@ -64,7 +64,7 @@ public static void authorize(Method method, ApiMethod apiMethod, ContainerReques
         }
 
         Collection<AuthRule> authRules = ruleHierarchy.getEffectiveRules(apiMethod.authTypes());
-        logger.debug("Authenticated: " + AuthRule.AUTHENTICATED + " User: " + TeamUtil.getCurrentUser());
+        logger.info("Authenticated: "+AuthRule.AUTHENTICATED +"User: "+TeamUtil.getCurrentUser());
 
         if (authRules.contains(AuthRule.AUTHENTICATED) && TeamUtil.getCurrentUser() == null) {
             ApiErrorResponseService.reportUnauthorisedAccess(SecurityErrors.NOT_AUTHENTICATED);
diff --git a/amp/src/main/webapp/WEB-INF/web.xml b/amp/src/main/webapp/WEB-INF/web.xml
index b4c7576808b..1fff2ca99f7 100644
--- a/amp/src/main/webapp/WEB-INF/web.xml
+++ b/amp/src/main/webapp/WEB-INF/web.xml
@@ -10,21 +10,8 @@
 	<!-- ******************************************* -->
 	<!-- * DO NOT ADD ANYTHING BEFORE THIS SEGMENT * -->
 	<!-- ******************************************* -->
-	<!--
-	  Session cookie policy:
-	    HttpOnly  - prevents client-side JavaScript from reading the session token.
-	    Secure    - restricts cookie transmission to HTTPS connections only.
-	                Remove <secure>true</secure> for local development over plain HTTP.
-	    COOKIE    - disables URL-based session tracking so the session ID never
-	                appears in the request URI.
-	-->
 	<session-config>
 		<session-timeout>5</session-timeout>
-		<cookie-config>
-			<http-only>true</http-only>
-			<secure>true</secure>
-		</cookie-config>
-		<tracking-mode>COOKIE</tracking-mode>
 	</session-config>
 	<filter>
 		<filter-name>javamelody</filter-name>
@@ -46,18 +33,6 @@
 		</listener-class>
 	</listener>
 
-	<!-- Browser-hardening response headers (X-Frame-Options, CSP, HSTS, etc.) -->
-	<filter>
-		<filter-name>securityHeadersFilter</filter-name>
-		<filter-class>org.digijava.kernel.web.SecurityHeadersFilter</filter-class>
-	</filter>
-	<filter-mapping>
-		<filter-name>securityHeadersFilter</filter-name>
-		<url-pattern>/*</url-pattern>
-		<dispatcher>REQUEST</dispatcher>
-		<dispatcher>ERROR</dispatcher>
-	</filter-mapping>
-
 	<filter>
 		<filter-name>gzipRequestFilter</filter-name>
 		<filter-class>org.digijava.kernel.web.gzip.GzipRequestFilter</filter-class>

From a21da261dd73731e25f2d4f1df3f021207fc8974 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 16:40:20 +0300
Subject: [PATCH 14/23] AMP-31141 : Failing to get resources

---
 .../kernel/ampapi/endpoints/resource/ResourceService.java     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java
index d2193f95e32..091cb98505f 100644
--- a/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java
+++ b/amp/src/main/java/org/digijava/kernel/ampapi/endpoints/resource/ResourceService.java
@@ -25,6 +25,7 @@
 import javax.jcr.query.Query;
 import javax.jcr.query.QueryManager;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
@@ -142,7 +143,8 @@ public List<JsonApiResponse> getAllResources(List<String> uuids) {
         for (String uuid : uuids) {
             Node readNode = DocumentManagerUtil.getReadNode(uuid, TLSUtils.getRequest());
             if (readNode == null) {
-                resources.add(new JsonApiResponse(ApiError.toError(ResourceErrors.RESOURCE_NOT_FOUND)));
+                resources.add(new JsonApiResponse(
+                        ApiError.format(Collections.singletonList(ResourceErrors.RESOURCE_NOT_FOUND))));
             } else {
                 resources.add(getResource(uuid));
             }

From 5b21037aadce66fdde43241cf822e4a1197b5575 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 17:05:27 +0300
Subject: [PATCH 15/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 .github/workflows/security.yml  | 217 ++++++++++++++++++++++++++++++++
 amp/pom.xml                     |  68 ++++++++++
 security/owasp-suppressions.xml |  31 +++++
 3 files changed, 316 insertions(+)
 create mode 100644 .github/workflows/security.yml
 create mode 100644 security/owasp-suppressions.xml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 00000000000..76c2481126f
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,217 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ "**" ]
+  pull_request:
+    branches: [ "**" ]
+  schedule:
+    # Re-scan every Monday at 06:00 UTC to catch newly published CVEs
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  # Required to upload SARIF results to GitHub Security tab
+  security-events: write
+
+jobs:
+  # -----------------------------------------------------------------------
+  # Job 1: OWASP Dependency-Check (Java / Maven artifacts)
+  # -----------------------------------------------------------------------
+  owasp-maven:
+    name: OWASP Dependency-Check (Maven)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+
+      # Cache the NVD data feed so successive runs skip the ~60s download
+      - name: Cache NVD data
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data
+          key: nvd-${{ runner.os }}-${{ github.run_id }}
+          restore-keys: |
+            nvd-${{ runner.os }}-
+
+      - name: Run OWASP Dependency-Check
+        working-directory: amp
+        run: |
+          mvn -B -ntp verify \
+            -P security \
+            -DskipTests \
+            -Dmaven.test.skip=true
+
+      - name: Upload HTML report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: owasp-dependency-check-report
+          path: amp/target/dependency-check-report/
+          retention-days: 30
+
+      - name: Upload SARIF to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: amp/target/dependency-check-report/dependency-check-report.sarif
+          category: owasp-dependency-check
+
+  # -----------------------------------------------------------------------
+  # Job 2: npm audit — all frontend packages
+  # -----------------------------------------------------------------------
+  npm-audit:
+    name: npm audit (Frontend)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - path: amp/TEMPLATE/reamp
+            name: reamp
+          - path: amp/TEMPLATE/ampTemplate/amp-state
+            name: amp-state
+          - path: amp/TEMPLATE/ampTemplate/amp-boilerplate
+            name: amp-boilerplate
+          - path: amp/TEMPLATE/ampTemplate/amp-filter
+            name: amp-filter
+          - path: amp/TEMPLATE/ampTemplate/amp-translate
+            name: amp-translate
+          - path: amp/TEMPLATE/ampTemplate/amp-url
+            name: amp-url
+          - path: amp/TEMPLATE/ampTemplate/amp-settings
+            name: amp-settings
+          - path: amp/TEMPLATE/ampTemplate/gis-layers-manager
+            name: gis-layers-manager
+          - path: amp/TEMPLATE/ampTemplate/dashboard/dev
+            name: dashboard
+          - path: amp/TEMPLATE/ampTemplate/gisModule/dev
+            name: gisModule
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '16'
+
+      - name: npm install (no scripts)
+        working-directory: ${{ matrix.package.path }}
+        run: npm install --ignore-scripts --prefer-offline 2>&1 || true
+
+      - name: npm audit
+        id: audit
+        working-directory: ${{ matrix.package.path }}
+        # Continue so all packages are scanned; the summary step decides outcome
+        continue-on-error: true
+        run: |
+          npm audit \
+            --audit-level high \
+            --json \
+            > /tmp/${{ matrix.package.name }}-audit.json 2>&1
+
+      - name: Print audit summary
+        if: always()
+        working-directory: ${{ matrix.package.path }}
+        run: |
+          FILE="/tmp/${{ matrix.package.name }}-audit.json"
+          if command -v jq &>/dev/null && [ -f "$FILE" ]; then
+            echo "### ${{ matrix.package.name }} vulnerability counts"
+            jq '{
+              critical: (.metadata.vulnerabilities.critical // 0),
+              high:     (.metadata.vulnerabilities.high     // 0),
+              moderate: (.metadata.vulnerabilities.moderate // 0),
+              low:      (.metadata.vulnerabilities.low      // 0)
+            }' "$FILE"
+          fi
+
+      - name: Upload audit JSON
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-audit-${{ matrix.package.name }}
+          path: /tmp/${{ matrix.package.name }}-audit.json
+          retention-days: 30
+
+      - name: Fail on HIGH or CRITICAL findings
+        working-directory: ${{ matrix.package.path }}
+        run: |
+          FILE="/tmp/${{ matrix.package.name }}-audit.json"
+          if [ ! -f "$FILE" ]; then exit 0; fi
+          HIGH=$(jq '.metadata.vulnerabilities.high // 0' "$FILE")
+          CRIT=$(jq '.metadata.vulnerabilities.critical // 0' "$FILE")
+          TOTAL=$(( HIGH + CRIT ))
+          if [ "$TOTAL" -gt 0 ]; then
+            echo "::error::${{ matrix.package.name }}: ${CRIT} critical + ${HIGH} high vulnerabilities found. Run 'npm audit' in ${{ matrix.package.path }} for details."
+            exit 1
+          fi
+
+  # -----------------------------------------------------------------------
+  # Job 3: Trivy — container image CVE scan (runs on push to main / PRs)
+  # Catches OS-level CVEs that OWASP cannot see (e.g. base image packages)
+  # -----------------------------------------------------------------------
+  trivy-image:
+    name: Trivy (Container Image)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    # Only scan the image on pushes to main/master or on PRs targeting them,
+    # to avoid redundant scans on every feature branch push.
+    if: |
+      github.event_name == 'pull_request' ||
+      github.ref == 'refs/heads/main' ||
+      github.ref == 'refs/heads/master' ||
+      github.event_name == 'schedule' ||
+      github.event_name == 'workflow_dispatch'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build Docker image (no push)
+        working-directory: amp
+        run: |
+          docker build \
+            --build-arg BUILD_SOURCE=security-scan \
+            --build-arg AMP_URL=http://localhost/ \
+            -t amp-security-scan:${{ github.sha }} \
+            . || echo "::warning::Docker build failed; skipping Trivy image scan"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: 'amp-security-scan:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          ignore-unfixed: true
+        continue-on-error: true
+
+      - name: Upload Trivy SARIF to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-container
+
+      - name: Upload Trivy SARIF artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sarif
+          path: trivy-results.sarif
+          retention-days: 30
diff --git a/amp/pom.xml b/amp/pom.xml
index 2d8026b284e..f01846bd612 100644
--- a/amp/pom.xml
+++ b/amp/pom.xml
@@ -201,6 +201,23 @@
                 <antilock>false</antilock>
             </properties>
         </profile>
+
+        <!-- ============================================================== -->
+        <!-- Security profile: mvn verify -P security                        -->
+        <!-- Runs OWASP Dependency-Check against all Maven + bundled assets  -->
+        <!-- ============================================================== -->
+        <profile>
+            <id>security</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>9.2.0</version>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 
 
@@ -2327,6 +2344,57 @@
                     </execution>
                 </executions>
             </plugin>
+
+            <!-- ========================================================== -->
+            <!-- OWASP Dependency-Check: run via 'security' profile          -->
+            <!-- mvn verify -P security                                       -->
+            <!-- ========================================================== -->
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>9.2.0</version>
+                <configuration>
+                    <!-- Fail the build if any dependency has CVSS >= 7 (high/critical) -->
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <!-- Suppress known FPs or accepted-risk CVEs -->
+                    <suppressionFile>${project.basedir}/../security/owasp-suppressions.xml</suppressionFile>
+                    <!-- Store NVD data locally to avoid repeated downloads in CI -->
+                    <nvdDatafeedUrl>https://nvd.nist.gov/feeds/json/cve/1.1/</nvdDatafeedUrl>
+                    <autoUpdate>true</autoUpdate>
+                    <!-- Scan bundled JS libraries in addition to Maven jars -->
+                    <scanSet>
+                        <fileSet>
+                            <directory>${project.basedir}/../ckeditor_4.4.6</directory>
+                        </fileSet>
+                        <fileSet>
+                            <directory>${project.basedir}/../ckeditor</directory>
+                        </fileSet>
+                        <fileSet>
+                            <directory>${project.basedir}/../TEMPLATE</directory>
+                            <useDefaultExcludes>true</useDefaultExcludes>
+                            <excludes>
+                                <exclude>**/node_modules/**</exclude>
+                            </excludes>
+                        </fileSet>
+                    </scanSet>
+                    <formats>
+                        <format>HTML</format>
+                        <format>JSON</format>
+                        <format>SARIF</format>
+                    </formats>
+                    <outputDirectory>${project.build.directory}/dependency-check-report</outputDirectory>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>dependency-check-verify</id>
+                        <!-- Bound to 'verify' so it runs only when the 'security' profile is active -->
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
 
         <pluginManagement>
diff --git a/security/owasp-suppressions.xml b/security/owasp-suppressions.xml
new file mode 100644
index 00000000000..ff2b1c110fb
--- /dev/null
+++ b/security/owasp-suppressions.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  OWASP Dependency-Check suppression file.
+  Use this file to mark known-false-positive CVEs or accepted-risk findings.
+
+  Format reference:
+    https://jeremylong.github.io/DependencyCheck/general/suppression.html
+
+  Example entry (uncomment and fill in real CVE IDs when accepting risk):
+
+  <suppress>
+     <notes>FP: CVE-XXXX-XXXXX does not affect this usage because ...</notes>
+     <cve>CVE-XXXX-XXXXX</cve>
+  </suppress>
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+    <!--
+      antlr 2.7.6 — used only by Hibernate's HQL parser (internal, not exposed
+      to user input). Accept risk while Hibernate upgrade is planned.
+      Ticket: AMP-XXXX  Review date: 2026-12-01
+    -->
+    <!-- Uncomment when you verify the CVE and accept the risk:
+    <suppress>
+        <notes>antlr used only internally by Hibernate HQL; no user-facing parser exposure.</notes>
+        <gav regex="true">antlr:antlr:.*</gav>
+        <cve>CVE-XXXX-XXXXX</cve>
+    </suppress>
+    -->
+
+</suppressions>

From ffe92853a93aad0c051c74f4ec6f4367b2972710 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 17:10:51 +0300
Subject: [PATCH 16/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 .github/workflows/security.yml | 56 +++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 76c2481126f..a551b100f89 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -6,9 +6,16 @@ on:
   pull_request:
     branches: [ "**" ]
   schedule:
-    # Re-scan every Monday at 06:00 UTC to catch newly published CVEs
+    # Re-scan every Monday at 06:00 UTC to catch newly published CVEs.
+    # Runs on the default branch; push/PR triggers cover all other branches.
     - cron: '0 6 * * 1'
   workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to scan (optional — leave blank to scan the branch selected above)'
+        required: false
+        type: string
+        default: ''
 
 permissions:
   contents: read
@@ -16,6 +23,44 @@ permissions:
   security-events: write
 
 jobs:
+  # -----------------------------------------------------------------------
+  # Resolve the exact commit to scan.
+  # - Automatic triggers (push / PR / schedule): use the triggering SHA.
+  # - Manual (workflow_dispatch, no pr_number): use the branch selected in
+  #   the "Run workflow" UI — GitHub checks out that branch automatically.
+  # - Manual (workflow_dispatch + pr_number): fetch the PR head SHA via API.
+  # -----------------------------------------------------------------------
+  setup:
+    name: Resolve target ref
+    runs-on: ubuntu-latest
+    outputs:
+      ref: ${{ steps.resolve.outputs.ref }}
+    steps:
+      - name: Resolve checkout ref
+        id: resolve
+        run: |
+          PR="${{ inputs.pr_number }}"
+          if [ -n "$PR" ]; then
+            if ! [[ "$PR" =~ ^[0-9]+$ ]]; then
+              echo "::error::pr_number must be numeric, got: ${PR}"
+              exit 1
+            fi
+            DATA=$(curl -sf \
+              -H "Authorization: Bearer ${{ github.token }}" \
+              "https://api.github.com/repos/${{ github.repository }}/pulls/${PR}")
+            STATE=$(echo "$DATA" | jq -r '.state')
+            if [ "$STATE" != "open" ]; then
+              echo "::error::PR #${PR} is not open (state: ${STATE})"
+              exit 1
+            fi
+            HEAD_REF=$(echo "$DATA" | jq -r '.head.ref')
+            HEAD_SHA=$(echo "$DATA" | jq -r '.head.sha')
+            echo "Scanning PR #${PR}: branch=${HEAD_REF} sha=${HEAD_SHA}"
+            echo "ref=${HEAD_SHA}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
+          fi
+
   # -----------------------------------------------------------------------
   # Job 1: OWASP Dependency-Check (Java / Maven artifacts)
   # -----------------------------------------------------------------------
@@ -23,10 +68,13 @@ jobs:
     name: OWASP Dependency-Check (Maven)
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    needs: setup
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.ref }}
 
       - name: Set up JDK 11
         uses: actions/setup-java@v4
@@ -74,6 +122,7 @@ jobs:
     name: npm audit (Frontend)
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    needs: setup
 
     strategy:
       fail-fast: false
@@ -103,6 +152,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.ref }}
 
       - name: Set up Node.js
         uses: actions/setup-node@v4
@@ -168,6 +219,7 @@ jobs:
     name: Trivy (Container Image)
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    needs: setup
     # Only scan the image on pushes to main/master or on PRs targeting them,
     # to avoid redundant scans on every feature branch push.
     if: |
@@ -180,6 +232,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.setup.outputs.ref }}
 
       - name: Build Docker image (no push)
         working-directory: amp

From d57eff9ff4b59b293c79bd7449cdfab5c6dee567 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 17:13:45 +0300
Subject: [PATCH 17/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 .github/workflows/security.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index a551b100f89..578455a564c 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -2,7 +2,11 @@ name: Security Scan
 
 on:
   push:
-    branches: [ "**" ]
+    # Scan the default branch directly on merge; feature branches are covered
+    # by the pull_request trigger below, avoiding duplicate runs.
+    branches:
+      - develop
+      - main
   pull_request:
     branches: [ "**" ]
   schedule:

From 478e2db5a5797d525b39b1a9b26c7c2f204ec1a1 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 17:17:20 +0300
Subject: [PATCH 18/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 .github/workflows/security.yml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 578455a564c..ad7cc2732dd 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -98,8 +98,13 @@ jobs:
 
       - name: Run OWASP Dependency-Check
         working-directory: amp
+        # Call the plugin goal directly to avoid triggering the full Maven
+        # lifecycle (which would run frontend-maven-plugin and fail in CI).
+        continue-on-error: true
+        id: owasp
         run: |
-          mvn -B -ntp verify \
+          mvn -B -ntp \
+            org.owasp:dependency-check-maven:9.2.0:check \
             -P security \
             -DskipTests \
             -Dmaven.test.skip=true
@@ -113,12 +118,16 @@ jobs:
           retention-days: 30
 
       - name: Upload SARIF to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        if: always() && hashFiles('amp/target/dependency-check-report/dependency-check-report.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: amp/target/dependency-check-report/dependency-check-report.sarif
           category: owasp-dependency-check
 
+      - name: Fail if OWASP found CVEs
+        if: steps.owasp.outcome == 'failure'
+        run: exit 1
+
   # -----------------------------------------------------------------------
   # Job 2: npm audit — all frontend packages
   # -----------------------------------------------------------------------
@@ -260,8 +269,8 @@ jobs:
         continue-on-error: true
 
       - name: Upload Trivy SARIF to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        if: always() && hashFiles('trivy-results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: trivy-results.sarif
           category: trivy-container

From b1f8e11e78f7810c7343d07b52d860839ba54b20 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 17:19:01 +0300
Subject: [PATCH 19/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index ad7cc2732dd..da518680eaf 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -258,7 +258,7 @@ jobs:
             . || echo "::warning::Docker build failed; skipping Trivy image scan"
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           image-ref: 'amp-security-scan:${{ github.sha }}'
           format: 'sarif'

From 26893050459dae776f8d8059d2748cd5aabf8860 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Tue, 16 Jun 2026 17:30:02 +0300
Subject: [PATCH 20/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 .github/workflows/security.yml | 16 ----------------
 amp/pom.xml                    |  6 ++----
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index da518680eaf..b746cea911d 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -23,8 +23,6 @@ on:
 
 permissions:
   contents: read
-  # Required to upload SARIF results to GitHub Security tab
-  security-events: write
 
 jobs:
   # -----------------------------------------------------------------------
@@ -117,13 +115,6 @@ jobs:
           path: amp/target/dependency-check-report/
           retention-days: 30
 
-      - name: Upload SARIF to GitHub Security tab
-        if: always() && hashFiles('amp/target/dependency-check-report/dependency-check-report.sarif') != ''
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: amp/target/dependency-check-report/dependency-check-report.sarif
-          category: owasp-dependency-check
-
       - name: Fail if OWASP found CVEs
         if: steps.owasp.outcome == 'failure'
         run: exit 1
@@ -268,13 +259,6 @@ jobs:
           ignore-unfixed: true
         continue-on-error: true
 
-      - name: Upload Trivy SARIF to GitHub Security tab
-        if: always() && hashFiles('trivy-results.sarif') != ''
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: trivy-results.sarif
-          category: trivy-container
-
       - name: Upload Trivy SARIF artifact
         if: always()
         uses: actions/upload-artifact@v4
diff --git a/amp/pom.xml b/amp/pom.xml
index f01846bd612..8a6a4d66123 100644
--- a/amp/pom.xml
+++ b/amp/pom.xml
@@ -2356,11 +2356,10 @@
                 <configuration>
                     <!-- Fail the build if any dependency has CVSS >= 7 (high/critical) -->
                     <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <!-- Always generate a report even if NVD data cannot be downloaded -->
+                    <failOnError>false</failOnError>
                     <!-- Suppress known FPs or accepted-risk CVEs -->
                     <suppressionFile>${project.basedir}/../security/owasp-suppressions.xml</suppressionFile>
-                    <!-- Store NVD data locally to avoid repeated downloads in CI -->
-                    <nvdDatafeedUrl>https://nvd.nist.gov/feeds/json/cve/1.1/</nvdDatafeedUrl>
-                    <autoUpdate>true</autoUpdate>
                     <!-- Scan bundled JS libraries in addition to Maven jars -->
                     <scanSet>
                         <fileSet>
@@ -2380,7 +2379,6 @@
                     <formats>
                         <format>HTML</format>
                         <format>JSON</format>
-                        <format>SARIF</format>
                     </formats>
                     <outputDirectory>${project.build.directory}/dependency-check-report</outputDirectory>
                 </configuration>

From af575e28a17b268d16eecb2d7473f560a0a215de Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Wed, 17 Jun 2026 07:15:24 +0300
Subject: [PATCH 21/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 amp/pom.xml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/amp/pom.xml b/amp/pom.xml
index 8a6a4d66123..2e2b59757a7 100644
--- a/amp/pom.xml
+++ b/amp/pom.xml
@@ -2356,8 +2356,6 @@
                 <configuration>
                     <!-- Fail the build if any dependency has CVSS >= 7 (high/critical) -->
                     <failBuildOnCVSS>7</failBuildOnCVSS>
-                    <!-- Always generate a report even if NVD data cannot be downloaded -->
-                    <failOnError>false</failOnError>
                     <!-- Suppress known FPs or accepted-risk CVEs -->
                     <suppressionFile>${project.basedir}/../security/owasp-suppressions.xml</suppressionFile>
                     <!-- Scan bundled JS libraries in addition to Maven jars -->

From edab738d74f83f4df119653817699b0a4b3aff33 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Wed, 17 Jun 2026 10:21:23 +0300
Subject: [PATCH 22/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 amp/pom.xml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/amp/pom.xml b/amp/pom.xml
index 2e2b59757a7..91b7b2ffd10 100644
--- a/amp/pom.xml
+++ b/amp/pom.xml
@@ -214,6 +214,25 @@
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
                         <version>9.2.0</version>
+                        <configuration>
+                            <!-- Fail the build if any dependency has CVSS >= 7 (high/critical) -->
+                            <failBuildOnCVSS>7</failBuildOnCVSS>
+                            <!-- Suppress known FPs or accepted-risk CVEs -->
+                            <suppressionFile>${project.basedir}/../security/owasp-suppressions.xml</suppressionFile>
+                            <!-- Scan bundled JS libraries in addition to Maven jars -->
+                            <scanSet>
+                                <fileSet>
+                                    <directory>${project.basedir}/../ckeditor_4.4.6</directory>
+                                </fileSet>
+                            </scanSet>
+                            <!-- Report formats: HTML for humans, JSON for CI/automation -->
+                            <formats>
+                                <format>HTML</format>
+                                <format>JSON</format>
+                            </formats>
+                            <!-- Output to target/dependency-check-report/ so GHA can find it -->
+                            <outputDirectory>${project.build.directory}/dependency-check-report</outputDirectory>
+                        </configuration>
                     </plugin>
                 </plugins>
             </build>

From ab2da48935b11f1c8cc1151f5f9d5754de18e057 Mon Sep 17 00:00:00 2001
From: brianbrix <mokandubrian@gmail.com>
Date: Wed, 17 Jun 2026 10:40:42 +0300
Subject: [PATCH 23/23] AMP-31144 : Add dependency and CVE scanning for OWASP
 audit

---
 amp/pom.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/amp/pom.xml b/amp/pom.xml
index 91b7b2ffd10..97f18667048 100644
--- a/amp/pom.xml
+++ b/amp/pom.xml
@@ -233,6 +233,14 @@
                             <!-- Output to target/dependency-check-report/ so GHA can find it -->
                             <outputDirectory>${project.build.directory}/dependency-check-report</outputDirectory>
                         </configuration>
+                        <executions>
+                            <execution>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                            </execution>
+                        </executions>
                     </plugin>
                 </plugins>
             </build>